From d31386bd98ad5f63812cfb833b035444b8f04ac9 Mon Sep 17 00:00:00 2001 From: woloski Date: Mon, 27 Aug 2012 03:08:58 -0300 Subject: [PATCH 001/203] change package innfo --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 19b5a53..00290e3 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { - "name": "passport-azure-acs", + "name": "passport-wsfed-saml2", "version": "0.1.0", - "description": "Windows Azure Access Control Service auth for Passport.", + "description": "WS-federation with SAML 2 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "author": { "name": "Matias Woloski", "email": "matias@auth10.com", From 8258295ec31c82a7fe311808c72d9d69346e33ee Mon Sep 17 00:00:00 2001 From: woloski Date: Mon, 27 Aug 2012 13:47:39 -0300 Subject: [PATCH 002/203] support for thumbprint check --- examples/login/app.js | 6 ++++-- lib/passport-wsfed-saml2/saml.js | 31 ++++++++++++++++++++++++++++--- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/examples/login/app.js b/examples/login/app.js index 706f6e6..14c2faa 100644 --- a/examples/login/app.js +++ b/examples/login/app.js @@ -3,7 +3,6 @@ var express = require('express') , util = require('util') , wsfedsaml2 = require('../../lib/passport-wsfed-saml2/index').Strategy , fs = require('fs'); - var users = [ { id: 1, givenName: 'matias', email: 'matias@auth10.com' } @@ -42,7 +41,10 @@ passport.use(new wsfedsaml2( realm: 'urn:node:app', homeRealm: '', // specify an identity provider to avoid showing the idp selector identityProviderUrl: 'https://auth10-dev.accesscontrol.windows.net/v2/wsfederation', - cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg=' + // setup either a certificate base64 encoded (cer) or just the thumbprint of the certificate if public key is embedded in the signature + + //cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg=' + thumbprint: 'a3cff17cbf7e793a97861390eb698d00e9598537' }, function(profile, done) { console.log("Auth with", profile); diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 9bd00b9..ebc9046 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -8,6 +8,10 @@ var querystring = require('querystring'); var SAML = function (options) { this.options = options; + + if (!options.cert && !options.thumbprint) { + throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate'); + } }; SAML.prototype.certToPEM = function (cert) { @@ -17,7 +21,7 @@ SAML.prototype.certToPEM = function (cert) { return cert; }; -SAML.prototype.validateSignature = function (xml, cert) { +SAML.prototype.validateSignature = function (xml, cert, thumbprint) { var self = this; var doc = new xmldom.DOMParser().parseFromString(xml); var signature = xmlCrypto.xpath.SelectNodes(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; @@ -27,11 +31,32 @@ SAML.prototype.validateSignature = function (xml, cert) { return "" }, getKey: function (keyInfo) { + if (thumbprint) { + var embeddedSignature = keyInfo[0].getElementsByTagName("X509Certificate"); + if (embeddedSignature.length > 0) { + var base64cer = embeddedSignature[0].firstChild.toString(); + var shasum = crypto.createHash('sha1'); + var der = new Buffer(base64cer, 'base64').toString('binary') + shasum.update(der); + self.calculatedThumbprint = shasum.digest('hex'); + + return self.certToPEM(base64cer); + } + } + return self.certToPEM(cert); } }; sig.loadSignature(signature.toString()); - return sig.checkSignature(xml); + var valid = sig.checkSignature(xml); + + if (cert) { + return valid; + } + + if (thumbprint) { + return valid && this.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase(); + } }; SAML.prototype.getElement = function (parentElement, elementName) { @@ -45,7 +70,7 @@ SAML.prototype.validateResponse = function (samlAssertionString, callback) { var self = this; // Verify signature - if (self.options.cert && !self.validateSignature(samlAssertionString, self.options.cert)) { + if (!self.validateSignature(samlAssertionString, self.options.cert, self.options.thumbprint)) { return callback(new Error('Invalid signature'), null); } From 863269f76fa0056bd94e44be89d8ad70ab50f538 Mon Sep 17 00:00:00 2001 From: woloski Date: Mon, 27 Aug 2012 14:12:45 -0300 Subject: [PATCH 003/203] adding audience check --- lib/passport-wsfed-saml2/saml.js | 33 ++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index ebc9046..b9f4ed4 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -59,12 +59,25 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint) { } }; -SAML.prototype.getElement = function (parentElement, elementName) { - if (parentElement['saml:' + elementName]) { - return parentElement['saml:' + elementName]; - } - return parentElement[elementName]; -} +SAML.prototype.validateExpiration = function (samlAssertion) { + var notBefore = new Date(samlAssertion.Conditions['@'].NotBefore); + notBefore = notBefore.setMinutes(notBefore.getMinutes() - 10); // 10 minutes clock skew + + var notOnOrAfter = new Date(samlAssertion.Conditions['@'].NotOnOrAfter); + notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 10); // 10 minutes clock skew + + var now = new Date(); + + if (now < notBefore || now > notOnOrAfter) + return false; + + return true; +}; + +SAML.prototype.validateAudience = function (samlAssertion, realm) { + var audience = samlAssertion.Conditions.AudienceRestriction.Audience; + return audience === realm; +}; SAML.prototype.validateResponse = function (samlAssertionString, callback) { var self = this; @@ -77,6 +90,14 @@ SAML.prototype.validateResponse = function (samlAssertionString, callback) { var parser = new xml2js.Parser(); parser.parseString(samlAssertionString, function (err, samlAssertion) { + if (!self.validateExpiration(samlAssertion)) { + return callback(new Error('Token has expired.'), null); + } + + if (!self.validateAudience(samlAssertion, self.options.realm)) { + return callback(new Error('Audience is invalid. Expected: ' + self.options.realm), null); + } + profile = {}; profile.issuer = samlAssertion.Issuer; From 25d8ccd35841cb9b686355924e8869122bec8964 Mon Sep 17 00:00:00 2001 From: woloski Date: Mon, 27 Aug 2012 17:53:13 -0300 Subject: [PATCH 004/203] update readme and bump to 0.2 with support of audience uri and expiration --- README.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c2783ad..4c14f2b 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ You need to provide a route corresponding to the `path` configuration parameter ```javascript app.post('/login/callback', - passport.authenticate('wsfedsaml2', { failureRedirect: '/', failureFlash: true }), + passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }), function(req, res) { res.redirect('/'); } diff --git a/package.json b/package.json index 00290e3..9f625cb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.1.0", + "version": "0.2.0", "description": "WS-federation with SAML 2 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "author": { "name": "Matias Woloski", From 44e009c82af0896228b7e5aadb1d011f6a835f31 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 9 Dec 2012 10:27:46 -0300 Subject: [PATCH 005/203] support for saml 1.1 assertions --- lib/passport-wsfed-saml2/saml.js | 64 ++++++++++++++++++++++---------- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index b9f4ed4..2d6323f 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -25,7 +25,7 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint) { var self = this; var doc = new xmldom.DOMParser().parseFromString(xml); var signature = xmlCrypto.xpath.SelectNodes(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; - var sig = new xmlCrypto.SignedXml(); + var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); sig.keyInfoProvider = { getKeyInfo: function (key) { return "" @@ -59,11 +59,11 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint) { } }; -SAML.prototype.validateExpiration = function (samlAssertion) { - var notBefore = new Date(samlAssertion.Conditions['@'].NotBefore); +SAML.prototype.validateExpiration = function (samlAssertion, version) { + var notBefore = new Date(version === '2.0' ? samlAssertion.Conditions['@'].NotBefore : samlAssertion['saml:Conditions']['@'].NotBefore); notBefore = notBefore.setMinutes(notBefore.getMinutes() - 10); // 10 minutes clock skew - var notOnOrAfter = new Date(samlAssertion.Conditions['@'].NotOnOrAfter); + var notOnOrAfter = new Date(version === '2.0' ? samlAssertion.Conditions['@'].NotOnOrAfter : samlAssertion['saml:Conditions']['@'].NotOnOrAfter); notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 10); // 10 minutes clock skew var now = new Date(); @@ -74,11 +74,37 @@ SAML.prototype.validateExpiration = function (samlAssertion) { return true; }; -SAML.prototype.validateAudience = function (samlAssertion, realm) { - var audience = samlAssertion.Conditions.AudienceRestriction.Audience; +SAML.prototype.validateAudience = function (samlAssertion, realm, version) { + var audience = version === '2.0' ? samlAssertion.Conditions.AudienceRestriction.Audience : samlAssertion['saml:Conditions']['saml:AudienceRestrictionCondition']['saml:Audience']; return audience === realm; }; +SAML.prototype.parseAttributes = function (samlAssertion, version) { + var profile = {}; + var attributes; + if (version === '2.0') { + attributes = samlAssertion.AttributeStatement.Attribute; + attributes.forEach(function (attribute) { + var value = attribute.AttributeValue; + if (typeof value === 'string') { + profile[attribute['@'].Name] = value; + return; + } + }); + } else { + attributes = samlAssertion['saml:AttributeStatement']['saml:Attribute']; + attributes.forEach(function (attribute) { + var value = attribute['saml:AttributeValue']; + if (typeof value === 'string') { + profile[attribute['@'].AttributeNamespace + '/' + attribute['@'].AttributeName] = value; + return; + } + }); + } + + return profile; +}; + SAML.prototype.validateResponse = function (samlAssertionString, callback) { var self = this; @@ -90,27 +116,25 @@ SAML.prototype.validateResponse = function (samlAssertionString, callback) { var parser = new xml2js.Parser(); parser.parseString(samlAssertionString, function (err, samlAssertion) { - if (!self.validateExpiration(samlAssertion)) { + var version; + if (samlAssertion['@'].MajorVersion === '1') + version = '1.1'; + else if (samlAssertion['@'].Version === '2.0') + version = '2.0'; + else + return callback(new Error('SAML Assertion version not supported'), null); + + if (!self.validateExpiration(samlAssertion, version)) { return callback(new Error('Token has expired.'), null); } - if (!self.validateAudience(samlAssertion, self.options.realm)) { + if (!self.validateAudience(samlAssertion, self.options.realm, version)) { return callback(new Error('Audience is invalid. Expected: ' + self.options.realm), null); } - profile = {}; - profile.issuer = samlAssertion.Issuer; - var attributeStatement = samlAssertion.AttributeStatement; - var attributes = attributeStatement.Attribute; - attributes.forEach(function (attribute) { - var value = attribute.AttributeValue; - if (typeof value === 'string') { - profile[attribute['@'].Name] = value; - return; - } - profile[attribute['@'].Name] = value['#']; - }); + var profile = self.parseAttributes(samlAssertion, version); + profile.issuer = version === '2.0' ? samlAssertion.Issuer : samlAssertion['@'].Issuer; if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; From c645165b5e29df0c3f2c9df0c3931273af236272 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 9 Dec 2012 10:28:39 -0300 Subject: [PATCH 006/203] bump to 0.3.0 --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 9f625cb..2f5bda7 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "passport-wsfed-saml2", - "version": "0.2.0", - "description": "WS-federation with SAML 2 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", + "version": "0.3.0", + "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "author": { "name": "Matias Woloski", "email": "matias@auth10.com", From fbf24573f96e25fb1c6b23b76eaeb40fe2cab4f0 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 9 Dec 2012 21:41:48 -0300 Subject: [PATCH 007/203] support for claimtypes with multiple values --- lib/passport-wsfed-saml2/saml.js | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 2d6323f..24ab7de 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -86,19 +86,14 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { attributes = samlAssertion.AttributeStatement.Attribute; attributes.forEach(function (attribute) { var value = attribute.AttributeValue; - if (typeof value === 'string') { - profile[attribute['@'].Name] = value; - return; - } + profile[attribute['@'].Name] = value; }); } else { attributes = samlAssertion['saml:AttributeStatement']['saml:Attribute']; attributes.forEach(function (attribute) { var value = attribute['saml:AttributeValue']; - if (typeof value === 'string') { - profile[attribute['@'].AttributeNamespace + '/' + attribute['@'].AttributeName] = value; - return; - } + var attributeName = attribute['@'].AttributeNamespace + '/' + attribute['@'].AttributeName; + profile[attributeName] = value; }); } From 20e6b90db6180cfd4ee7a6a6914ad0aa48f69da7 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 9 Dec 2012 21:42:17 -0300 Subject: [PATCH 008/203] bump 0.3.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 2f5bda7..2ad8967 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.0", + "version": "0.3.1", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "author": { "name": "Matias Woloski", From c1402504bcfe0eeb3c759452c9655af3d10a1f12 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 9 Dec 2012 21:58:28 -0300 Subject: [PATCH 009/203] add nameid --- lib/passport-wsfed-saml2/saml.js | 9 +++++++++ package.json | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 24ab7de..ba3abe7 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -88,6 +88,11 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { var value = attribute.AttributeValue; profile[attribute['@'].Name] = value; }); + + if (samlAssertion.Subject.NameID) { + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = samlAssertion.Subject.NameID; + } + } else { attributes = samlAssertion['saml:AttributeStatement']['saml:Attribute']; attributes.forEach(function (attribute) { @@ -95,6 +100,10 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { var attributeName = attribute['@'].AttributeNamespace + '/' + attribute['@'].AttributeName; profile[attributeName] = value; }); + + if (samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']) { + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']; + } } return profile; diff --git a/package.json b/package.json index 2ad8967..2bb6da9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.1", + "version": "0.3.2", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "author": { "name": "Matias Woloski", From b9f77007ff976596114bf5bcdf9912586655e680 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 16 Dec 2012 21:09:58 -0300 Subject: [PATCH 010/203] support assertions with just one attribute --- lib/passport-wsfed-saml2/saml.js | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index ba3abe7..4c619c6 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -84,10 +84,13 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { var attributes; if (version === '2.0') { attributes = samlAssertion.AttributeStatement.Attribute; - attributes.forEach(function (attribute) { - var value = attribute.AttributeValue; - profile[attribute['@'].Name] = value; - }); + if (attributes) { + attributes = (attributes instanceof Array) ? attributes : [attributes]; + attributes.forEach(function (attribute) { + var value = attribute.AttributeValue; + profile[attribute['@'].Name] = value; + }); + } if (samlAssertion.Subject.NameID) { profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = samlAssertion.Subject.NameID; @@ -95,12 +98,15 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { } else { attributes = samlAssertion['saml:AttributeStatement']['saml:Attribute']; - attributes.forEach(function (attribute) { - var value = attribute['saml:AttributeValue']; - var attributeName = attribute['@'].AttributeNamespace + '/' + attribute['@'].AttributeName; - profile[attributeName] = value; - }); - + if (attributes) { + attributes = (attributes instanceof Array) ? attributes : [attributes]; + attributes.forEach(function (attribute) { + var value = attribute['saml:AttributeValue']; + var attributeName = attribute['@'].AttributeNamespace + '/' + attribute['@'].AttributeName; + profile[attributeName] = value; + }); + } + if (samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']) { profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']; } From 884d0bd4f16da026b9160393b8efd68646012988 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 16 Dec 2012 21:10:44 -0300 Subject: [PATCH 011/203] bump 0.3.3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 2bb6da9..003583d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.2", + "version": "0.3.3", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "author": { "name": "Matias Woloski", From 90d91d408c76783e6e759ba03a662d08da657061 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Thu, 14 Mar 2013 13:16:10 -0300 Subject: [PATCH 012/203] add tests and fix nameidentifier parsing in case Format attribute is there --- .gitignore | 3 +- lib/passport-wsfed-saml2/index.js | 3 +- lib/passport-wsfed-saml2/saml.js | 5 ++- package.json | 11 +++++- test/saml11.tests.js | 45 +++++++++++++++++++++ test/test-auth0.cer | 1 + test/test-auth0.key | 27 +++++++++++++ test/test-auth0.pem | 24 ++++++++++++ test/utils.js | 65 +++++++++++++++++++++++++++++++ 9 files changed, 178 insertions(+), 6 deletions(-) create mode 100644 test/saml11.tests.js create mode 100644 test/test-auth0.cer create mode 100644 test/test-auth0.key create mode 100644 test/test-auth0.pem create mode 100644 test/utils.js diff --git a/.gitignore b/.gitignore index b512c09..28f1ba7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -node_modules \ No newline at end of file +node_modules +.DS_Store \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/index.js b/lib/passport-wsfed-saml2/index.js index db3c37f..e5dbb33 100644 --- a/lib/passport-wsfed-saml2/index.js +++ b/lib/passport-wsfed-saml2/index.js @@ -1 +1,2 @@ -exports.Strategy = require('./strategy'); \ No newline at end of file +exports.Strategy = require('./strategy'); +exports.SAML = require('./saml'); \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 4c619c6..449ba9f 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -107,8 +107,9 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { }); } - if (samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']) { - profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']; + var nameId = samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']; + if (nameId) { + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = typeof nameId === 'string' ? nameId : nameId['#']; } } diff --git a/package.json b/package.json index 003583d..5854088 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,10 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.3", + "version": "0.3.4", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", + "scripts": { + "test": "mocha" + }, "author": { "name": "Matias Woloski", "email": "matias@auth10.com", @@ -23,7 +26,11 @@ }, "devDependencies": { "express": "2.5.x", - "ejs": "0.7.x" + "ejs": "0.7.x", + "mocha": "*", + "should": "~1.2.1", + "moment": "~1.7.2", + "saml": "~0.2.7" }, "engines": { "node": ">= 0.6.0" diff --git a/test/saml11.tests.js b/test/saml11.tests.js new file mode 100644 index 0000000..4d9bac9 --- /dev/null +++ b/test/saml11.tests.js @@ -0,0 +1,45 @@ +var assert = require('assert'), + fs = require('fs'), + utils = require('./utils'), + moment = require('moment'), + should = require('should'), + saml11 = require('saml').Saml11, + SamlPassport = require('../lib/passport-wsfed-saml2/saml').SAML; + +describe('saml 1.1', function () { + + it('should parse attributes', function (done) { + // cert created with: + // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem + + var options = { + cert: fs.readFileSync(__dirname + '/test-auth0.pem'), + key: fs.readFileSync(__dirname + '/test-auth0.key'), + issuer: 'urn:issuer', + lifetimeInSeconds: 600, + audiences: 'urn:myapp', + attributes: { + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'foo@bar.com', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar' + }, + nameIdentifier: 'foo', + nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' + }; + + var signedAssertion = saml11.create(options); + + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var profile = saml_passport.validateResponse(signedAssertion, function(error, profile) { + + assert.ok(profile); + assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); + assert.equal('Foo Bar', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); + assert.equal('foo@bar.com', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']); + assert.equal('foo@bar.com', profile['email']); + assert.equal('urn:issuer', profile['issuer']); + done(); + }); + + }); +}); diff --git a/test/test-auth0.cer b/test/test-auth0.cer new file mode 100644 index 0000000..a5ba737 --- /dev/null +++ b/test/test-auth0.cer @@ -0,0 +1 @@ +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo= \ No newline at end of file diff --git a/test/test-auth0.key b/test/test-auth0.key new file mode 100644 index 0000000..663a737 --- /dev/null +++ b/test/test-auth0.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAxmJWY0eJcuV2uBtLnQ4004fuknbODo5xIyRhkYNkls5n9OrB +q4Lok6cjv7G2Q8mxAdlIUmzhTSyuNkrMMKZrPaMsAkNKE/aNpeWuSLXqcMs8T/8g +YCDcEmC5KYEJakNtKb3ZX2FKwT4yHHpsNomLDzJD5DyJKbRpNBm2no7ggIy7TQRJ +2H00mogQIQu8/fUANXVeGPshvLJU8MXEy/eiXkHJIT3DDA4VSr/C/tfP0tGJSNTM +874urc4zej+4INuTuMPtesZS47J0AsPxQuxengS4M76cVt5cH+Iqd1nKe5UqiSKv +LCXacPYg/T/Kdx0tBnwHIjKo/cbzZ+r+XynsCwIDAQABAoIBAFPWWwu5v6x+rJ1B +a8MDre93Eqty6cHdEJL5XQJRtMDGmcg3LYF94SwFBmaMg6pCIjvVx2qN+OjUaQso +sQIeUlPKEV8jcLrfBx2E4xJ3Tow8V1C3UMdPG7Hojler4H633/oz8RkN1Lm1vxep +5PFnTw0tAOQDcTPeulb6RuLbHqU0FEnf/jVOMhtPLcMAwJ3fkAJQ+ljFW2VKCQ83 +d+ci1p+NHY/dbGLSR4lK58mVghcRMO3zhe5scrbECHJMfT6fCb2TXdjaueFUGC6+ +fqUXvDj8HRfUilzTegNq8ZhwgMSw1HeX/PuiczSKc3aHYSsohMBugTErnkW+qF4Z +kE+kxgECgYEA/sm7umcyFuZME+RWYL8Gsp8agH1OGEgsmIiMi1z6RTlTmdR8fN18 +ItzXyW+363VZln/1b5wCaPdLIxgASxybLAaxnKAXfmL7QvyVAaMwxj7N0ogvMQoN +x2VuSGZSam2+LFVIMWHq1C+3fvVnCDLm6oHvIMK/zvEsPBBtz+L6rlECgYEAx1Pr +KogaGHCi1XgsrNv9aFaayRvmhzZbmiigF0iWKAd3KKww94BdyyGSVfMfyL23LAbM +QDCrDNGpYAnpNZo/cL+OcGPYzlPsWDBrJub1HOA/H3WQlP4oEcfdbmJZhIkEwTGF +HaCHynEu4ekiCrWz9+XVNCquTyqnmaVDEzAfEZsCgYA8jQbfUt0Vkh+sboyUq3FV +C/jJZn4jyStICNOV3z/fKbOTkGsRZbW1t1RVHAbSn23uFXTn1GTCO1sQ+QhA0YiT +Gvgk5+sNb0qVbd+fpv/VbWGO0iyc8+24YIOoEyEtB+21LYNdsQ6U5M4wDvQwf6Bf +RQfmekIJVUmU8LaYPDIlMQKBgDSRiT/aTSeM7STnYMDl89sEnCXV2eJnD5mEhVQe +rJs5/M8ZOoDLtfDQlctdJ1DF1/0gfdWgADyNPuI5OuwMFhciLequKoufzoEjo97K +onJPIdamJs9kiCTIVTm7bmhpyns5GCZMJAPb/cVOus+gRCpozuXHK9ltIm5/C0WQ +N2FpAoGBAOss6RN2krieqbn1mG8e2v5mMUd0CJkiJu2y5MnF3dYHXSQ3/ePAh/Yg +JOthpgYgBh+mV0DLqJhx/1DLS/xiqcoHDlndQDmYbtvvY7RlMo00+nGzkRVOfrqy +hC+1KsYHGPbSQixNQXtvFbAAVMSo+RRBkVGINYGDFnlQUpkppYRk +-----END RSA PRIVATE KEY----- diff --git a/test/test-auth0.pem b/test/test-auth0.pem new file mode 100644 index 0000000..47e8e14 --- /dev/null +++ b/test/test-auth0.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNV +BAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQG +EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0x +MjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1 +dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UE +CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbO +Z/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDL +PE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICM +u00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LR +iUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuV +Kokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNV +HQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeB +jTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTES +MBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu +Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDb +cRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6Fsxo +eZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ53 +2ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6Tf +KgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3Wk +mcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo= +-----END CERTIFICATE----- diff --git a/test/utils.js b/test/utils.js new file mode 100644 index 0000000..f5c5c26 --- /dev/null +++ b/test/utils.js @@ -0,0 +1,65 @@ +var xmlCrypto = require('xml-crypto'), + crypto = require('crypto'), + xmldom = require('xmldom'); + +exports.isValidSignature = function(assertion, cert) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + var signature = xmlCrypto.xpath.SelectNodes(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; + var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); + sig.keyInfoProvider = { + getKeyInfo: function (key) { + return ""; + }, + getKey: function (keyInfo) { + return cert; + } + }; + sig.loadSignature(signature.toString()); + return sig.checkSignature(assertion); +}; + +exports.getIssuer = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getAttribute('Issuer'); +}; + +exports.getAssertionID = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getAttribute('AssertionID'); +}; + +exports.getIssueInstant = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getAttribute('IssueInstant'); +}; + +exports.getConditions = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getElementsByTagName('saml:Conditions'); +}; + +exports.getAudiences = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:Conditions')[0] + .getElementsByTagName('saml:AudienceRestrictionCondition')[0] + .getElementsByTagName('saml:Audience'); +}; + +exports.getAuthenticationStatement = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:AuthenticationStatement')[0]; +}; + +exports.getAttributes = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:Attribute'); +}; + +exports.getNameIdentifier = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:NameIdentifier')[0]; +}; From d787ee97af1fb75a4fd28755aa3c890bb476d00a Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Thu, 14 Mar 2013 13:16:11 -0300 Subject: [PATCH 013/203] 0.3.5 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 5854088..d63b922 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.4", + "version": "0.3.5", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" From 3d8d89325b0a78df342fd45ac8b5e06be262f4b9 Mon Sep 17 00:00:00 2001 From: "Jose F. Romaniello" Date: Tue, 19 Mar 2013 08:24:49 -0300 Subject: [PATCH 014/203] add wreply parameter --- lib/passport-wsfed-saml2/strategy.js | 2 +- lib/passport-wsfed-saml2/wsfederation.js | 19 +++++++++++-------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index d5a3335..52f3816 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -19,7 +19,7 @@ function Strategy (options, verify) { this._verify = verify; this._saml = new saml.SAML(options); - this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl); + this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); } util.inherits(Strategy, passport.Strategy); diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index 9219b70..7206762 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -1,22 +1,25 @@ var xml2js = require('xml2js'); var xmldom = require('xmldom'); -var WsFederation = module.exports = function WsFederation (realm, homerealm, identityProviderUrl) { +var WsFederation = module.exports = function WsFederation (realm, homerealm, identityProviderUrl, wreply) { this.realm = realm; this.homerealm = homerealm; this.identityProviderUrl = identityProviderUrl; + this.wreply = wreply; }; WsFederation.prototype = { getRequestSecurityTokenUrl: function () { - if (this.homerealm !== '') - { - return this.identityProviderUrl + "?wtrealm=" + this.realm + "&wa=wsignin1.0&whr=" + this.homerealm; - } - else - { - return this.identityProviderUrl + "?wtrealm=" + this.realm + "&wa=wsignin1.0"; + var url; + if (this.homerealm !== '') { + url = this.identityProviderUrl + "?wtrealm=" + this.realm + "&wa=wsignin1.0&whr=" + this.homerealm; + } else { + url = this.identityProviderUrl + "?wtrealm=" + this.realm + "&wa=wsignin1.0"; } + if (this.wreply) { + url += '&wreply=' + encodeURIComponent(this.wreply); + } + return url; }, extractToken: function(req) { From 68637e29cc52648cf2fa15b2a4bcbe2dfc5824d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 29 Mar 2013 18:28:46 -0300 Subject: [PATCH 015/203] allow custom options when authorizing --- lib/passport-wsfed-saml2/strategy.js | 2 +- lib/passport-wsfed-saml2/wsfederation.js | 23 ++++++++++++++--------- package.json | 3 ++- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 52f3816..dd32e8f 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -51,7 +51,7 @@ Strategy.prototype.authenticate = function (req, options) { } else { // Initiate new ws-fed authentication request - var idpUrl = this._wsfed.getRequestSecurityTokenUrl(); + var idpUrl = this._wsfed.getRequestSecurityTokenUrl(options); self.redirect(idpUrl); } }; diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index 7206762..40549d3 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -1,5 +1,6 @@ -var xml2js = require('xml2js'); var xmldom = require('xmldom'); +var xtend = require('xtend'); +var qs = require('querystring'); var WsFederation = module.exports = function WsFederation (realm, homerealm, identityProviderUrl, wreply) { this.realm = realm; @@ -9,17 +10,21 @@ var WsFederation = module.exports = function WsFederation (realm, homerealm, ide }; WsFederation.prototype = { - getRequestSecurityTokenUrl: function () { - var url; + getRequestSecurityTokenUrl: function (options) { + var query = xtend(options || {}, { + wtrealm: this.realm, + wa: 'wsignin1.0' + }); + if (this.homerealm !== '') { - url = this.identityProviderUrl + "?wtrealm=" + this.realm + "&wa=wsignin1.0&whr=" + this.homerealm; - } else { - url = this.identityProviderUrl + "?wtrealm=" + this.realm + "&wa=wsignin1.0"; - } + query.whr = this.homerealm; + } + if (this.wreply) { - url += '&wreply=' + encodeURIComponent(this.wreply); + query.wreply = this.wreply; } - return url; + + return this.identityProviderUrl + '?' + qs.encode(query); }, extractToken: function(req) { diff --git a/package.json b/package.json index d63b922..5e459db 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,8 @@ "passport": "0.1.x", "xml2js": "0.1.x", "xml-crypto": "https://github.com/auth10/xml-crypto/tarball/master", - "xmldom": "0.1.x" + "xmldom": "0.1.x", + "xtend": "~2.0.3" }, "devDependencies": { "express": "2.5.x", From 5e9f4e121f8bfaee750f5ef9040e7a49e99e71e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 29 Mar 2013 18:28:55 -0300 Subject: [PATCH 016/203] 0.3.6 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 5e459db..7553573 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.5", + "version": "0.3.6", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" From 565a305eea19c7be349024dc7036e5daeda8367a Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 2 Apr 2013 16:20:53 -0300 Subject: [PATCH 017/203] fix xmldom dep to 0.1.13 and add validation of an office365 assertion --- lib/passport-wsfed-saml2/saml.js | 4 ++-- package.json | 4 ++-- test/saml11.tests.js | 14 ++++++++++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 449ba9f..9d12994 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -135,11 +135,11 @@ SAML.prototype.validateResponse = function (samlAssertionString, callback) { else return callback(new Error('SAML Assertion version not supported'), null); - if (!self.validateExpiration(samlAssertion, version)) { + if (self.options.checkExpiration && !self.validateExpiration(samlAssertion, version)) { return callback(new Error('Token has expired.'), null); } - if (!self.validateAudience(samlAssertion, self.options.realm, version)) { + if (self.options.checkAudience && !self.validateAudience(samlAssertion, self.options.realm, version)) { return callback(new Error('Audience is invalid. Expected: ' + self.options.realm), null); } diff --git a/package.json b/package.json index 7553573..a127b10 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.6", + "version": "0.3.7", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" @@ -22,7 +22,7 @@ "passport": "0.1.x", "xml2js": "0.1.x", "xml-crypto": "https://github.com/auth10/xml-crypto/tarball/master", - "xmldom": "0.1.x", + "xmldom": "=0.1.13", "xtend": "~2.0.3" }, "devDependencies": { diff --git a/test/saml11.tests.js b/test/saml11.tests.js index 4d9bac9..7c4feee 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -42,4 +42,18 @@ describe('saml 1.1', function () { }); }); + + it('should validate an assertion from office365', function (done) { + var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; + + var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0', + realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', + checkExpiration: false}); // dont check expiration since we are harcoding the token + var profile = saml_passport.validateResponse(signedAssertion, function(error, profile) { + + assert.ok(profile); + done(); + }); + + }); }); From bae091aba26c57144af939a74269da38506a39d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Wed, 3 Apr 2013 09:49:55 -0300 Subject: [PATCH 018/203] add authorizationParams method --- lib/passport-wsfed-saml2/strategy.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index dd32e8f..8b105c3 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -50,10 +50,14 @@ Strategy.prototype.authenticate = function (req, options) { }); } else { // Initiate new ws-fed authentication request - - var idpUrl = this._wsfed.getRequestSecurityTokenUrl(options); + var params = this.authorizationParams(options); + var idpUrl = this._wsfed.getRequestSecurityTokenUrl(params); self.redirect(idpUrl); } }; +Strategy.prototype.authorizationParams = function(options) { + return {}; +}; + module.exports = Strategy; \ No newline at end of file From 55d3a8a6d5c987a80f3d300bbc255eaf708d4258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Wed, 3 Apr 2013 09:51:51 -0300 Subject: [PATCH 019/203] 0.3.8 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index a127b10..83f5532 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.7", + "version": "0.3.8", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" From f8a77892e4e561cc5ee17dc122f781ea039d3574 Mon Sep 17 00:00:00 2001 From: David Boardman Date: Mon, 6 May 2013 14:42:22 -0500 Subject: [PATCH 020/203] Add support for configurable xpath to the Signature and a callback to extract the saml:Assertion node --- lib/passport-wsfed-saml2/saml.js | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 9d12994..f6ede42 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -12,6 +12,9 @@ var SAML = function (options) { if (!options.cert && !options.thumbprint) { throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate'); } + if(!options.signaturePath){ + options.signaturePath = "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + } }; SAML.prototype.certToPEM = function (cert) { @@ -24,7 +27,7 @@ SAML.prototype.certToPEM = function (cert) { SAML.prototype.validateSignature = function (xml, cert, thumbprint) { var self = this; var doc = new xmldom.DOMParser().parseFromString(xml); - var signature = xmlCrypto.xpath.SelectNodes(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; + var signature = xmlCrypto.xpath.SelectNodes(doc, this.options.signaturePath)[0]; var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); sig.keyInfoProvider = { getKeyInfo: function (key) { @@ -126,7 +129,11 @@ SAML.prototype.validateResponse = function (samlAssertionString, callback) { var parser = new xml2js.Parser(); parser.parseString(samlAssertionString, function (err, samlAssertion) { - + + if(self.options.extractSAMLAssertion){ + samlAssertion = self.options.extractSAMLAssertion(samlAssertion) + } + var version; if (samlAssertion['@'].MajorVersion === '1') version = '1.1'; From f9a872a58432c244561d18a1d35d948aeaf3d1e0 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 6 May 2013 18:05:51 -0300 Subject: [PATCH 021/203] fix issue when request is post but there is no wresult, added integration tests --- lib/passport-wsfed-saml2/strategy.js | 8 ++ lib/passport-wsfed-saml2/wsfederation.js | 2 - package.json | 20 +++-- test/fixture/server.js | 95 +++++++++++++++++++++ test/wsfed.tests.js | 101 +++++++++++++++++++++++ 5 files changed, 217 insertions(+), 9 deletions(-) create mode 100644 test/fixture/server.js create mode 100644 test/wsfed.tests.js diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 8b105c3..34c6599 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -27,6 +27,14 @@ util.inherits(Strategy, passport.Strategy); Strategy.prototype.authenticate = function (req, options) { var self = this; if (req.body && req.method == 'POST') { + if (!req.body.wresult) { + return self.fail('Expected a wresult parameter', 400); + } + + if (req.body.wresult.indexOf('<') === -1) { + return self.fail('wresult should be a valid xml', 400); + } + // We have a response, get the user identity out of it var token = this._wsfed.extractToken(req); self._saml.validateResponse(token, function (err, profile) { diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index 40549d3..34ba272 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -28,8 +28,6 @@ WsFederation.prototype = { }, extractToken: function(req) { - //var parser = new xml2js.Parser(); - var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']); var token = doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0].firstChild; diff --git a/package.json b/package.json index 83f5532..54c0862 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.8", + "version": "0.3.9", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" @@ -21,17 +21,23 @@ "dependencies": { "passport": "0.1.x", "xml2js": "0.1.x", - "xml-crypto": "https://github.com/auth10/xml-crypto/tarball/master", + "xml-crypto": "~0.0.10", "xmldom": "=0.1.13", "xtend": "~2.0.3" }, "devDependencies": { - "express": "2.5.x", - "ejs": "0.7.x", - "mocha": "*", - "should": "~1.2.1", + "chai": "~1.5.0", + "express": "~3.1.0", + "mocha": "~1.8.1", + "request": "~2.14.0", + "xmldom": "~0.1.13", + "cheerio": "~0.10.7", + "xml-crypto": "0.0.10", + "xpath": "0.0.5", + "xtend": "~2.0.3", "moment": "~1.7.2", - "saml": "~0.2.7" + "saml": "~0.2.7", + "wsfed": "~0.3.4" }, "engines": { "node": ">= 0.6.0" diff --git a/test/fixture/server.js b/test/fixture/server.js new file mode 100644 index 0000000..ba1a55e --- /dev/null +++ b/test/fixture/server.js @@ -0,0 +1,95 @@ +var express = require('express'); +var http = require('http'); +var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; +var passport = require('passport'); +var wsfed = require('wsfed'); +var xtend = require('xtend'); +var fs = require('fs'); +var path = require('path'); + +passport.use(new Strategy( + { + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://localhost:5050/login', + thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + }, + function(profile, done) { + return done(null, profile); + }) +); + +var fakeUser = { + id: '12345678', + displayName: 'John Foo', + name: { + familyName: 'Foo', + givenName: 'John' + }, + emails: [ + { + type: 'work', + value: 'jfoo@gmail.com' + } + ] +}; + +var credentials = { + cert: fs.readFileSync(path.join(__dirname, '../test-auth0.pem')), + key: fs.readFileSync(path.join(__dirname, '../test-auth0.key')) +}; + +passport.serializeUser(function(user, done) { + done(null, user); +}); + +passport.deserializeUser(function(user, done) { + done(null, user); +}); + +module.exports.options = {}; + +module.exports.start = function(options, callback){ + module.exports.options = options; + if (typeof options === 'function') { + callback = options; + module.exports.options = {}; + } + + var app = express(); + + app.configure(function(){ + this.use(express.bodyParser()); + this.use(passport.initialize()); + this.use(passport.session()); + this.use(function(req,res,next){ + req.user = fakeUser; + next(); + }); + }); + + function getPostURL (wtrealm, wreply, req, callback) { + callback(null, 'http://localhost:5050/callback'); + } + + app.get('/login', + wsfed.auth(xtend({}, { + issuer: 'fixture-test', + getPostURL: getPostURL, + cert: credentials.cert, + key: credentials.key + }, options))); + + app.post('/callback', + passport.authenticate('wsfed-saml2'), + function(req, res) { + res.json(req.user); + }); + + + var server = http.createServer(app).listen(5050, callback); + module.exports.close = server.close.bind(server); +}; + +module.exports.fakeUser = fakeUser; +module.exports.credentials = credentials; diff --git a/test/wsfed.tests.js b/test/wsfed.tests.js new file mode 100644 index 0000000..e2fb4f4 --- /dev/null +++ b/test/wsfed.tests.js @@ -0,0 +1,101 @@ +var expect = require('chai').expect; +var server = require('./fixture/server'); +var request = require('request'); +var cheerio = require('cheerio'); + +describe('wsfed', function () { + before(function (done) { + server.start(done); + }); + + after(function (done) { + server.close(done); + }); + + describe('normal flow', function () { + var user, r, bod, $; + + before(function (done) { + request.get({ + jar: request.jar(), + uri: 'http://localhost:5050/login?wa=wsignin1.0&wtrealm=urn:fixture-test' + }, function (err, response, b){ + if(err) return done(err); + expect(response.statusCode) + .to.equal(200); + + + $ = cheerio.load(b); + var wresult = $('input[name="wresult"]').attr('value'); + var wa = $('input[name="wa"]').attr('value'); + request.post({ + jar: request.jar(), + uri: 'http://localhost:5050/callback', + form: { wresult: wresult, wa: wa } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + }); + + it('should be valid signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']) + .to.equal(server.fakeUser.id); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) + .to.equal(server.fakeUser.emails[0].value); + }); + + }); + + describe('missing wresult in POST', function () { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5050/callback' + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should return a 400', function(){ + expect(r.statusCode) + .to.equal(400); + }); + }); + + describe('invalid wresult in POST', function () { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5050/callback', + form: { wresult: 'foo' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should return a 400', function(){ + expect(r.statusCode) + .to.equal(400); + }); + }); +}); \ No newline at end of file From 73db6005360e6ad778a345c1ff02ad01619e53a4 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 6 May 2013 18:14:19 -0300 Subject: [PATCH 022/203] add travis --- .travis.yml | 4 ++++ README.md | 2 ++ 2 files changed, 6 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..663b27a --- /dev/null +++ b/.travis.yml @@ -0,0 +1,4 @@ +language: node_js +node_js: + - 0.8 + - 0.10 \ No newline at end of file diff --git a/README.md b/README.md index 4c14f2b..a6531b7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ Passport-wsfed-saml2 ============= +[![Build Status](https://travis-ci.org/auth0/passport-wsfed-saml2.png)](https://travis-ci.org/auth0/passport-wsfed-saml2) + This is a ws-federation protocol + SAML2 tokens authentication provider for [Passport](http://passportjs.org/). The code was originally based on Henri Bergius's [passport-saml](https://github.com/bergie/passport-saml) library. From 929d731837faeee0eae77c2d40e193bcc2802c63 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 6 May 2013 18:17:40 -0300 Subject: [PATCH 023/203] add should in dev deps --- package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 54c0862..85c0c5f 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,8 @@ "xtend": "~2.0.3", "moment": "~1.7.2", "saml": "~0.2.7", - "wsfed": "~0.3.4" + "wsfed": "~0.3.4", + "should": "~1.1.0" }, "engines": { "node": ">= 0.6.0" From 2cbc043a0ba748060b91cf9b5c480a9c939682f2 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 6 May 2013 18:22:30 -0300 Subject: [PATCH 024/203] bump to 0.3.10 --- package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 85c0c5f..8ccdbd0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.9", + "version": "0.3.10", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" @@ -12,10 +12,10 @@ }, "repository": { "type": "git", - "url": "git://github.com/auth10/passport-wsfed-saml2.git" + "url": "git://github.com/auth0/passport-wsfed-saml2.git" }, "bugs": { - "url": "http://github.com/auth10/passport-wsfed-saml2/issues" + "url": "http://github.com/auth0/passport-wsfed-saml2/issues" }, "main": "./lib/passport-wsfed-saml2", "dependencies": { From 208ea477d487819d5390935d3fbcddab609d991d Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 6 May 2013 19:05:48 -0300 Subject: [PATCH 025/203] should redirect to idp if is a post but wresult is missing --- lib/passport-wsfed-saml2/strategy.js | 6 +----- test/wsfed.tests.js | 4 ++-- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 34c6599..ca80fed 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -26,11 +26,7 @@ util.inherits(Strategy, passport.Strategy); Strategy.prototype.authenticate = function (req, options) { var self = this; - if (req.body && req.method == 'POST') { - if (!req.body.wresult) { - return self.fail('Expected a wresult parameter', 400); - } - + if (req.body && req.method == 'POST' && req.body.wresult) { if (req.body.wresult.indexOf('<') === -1) { return self.fail('wresult should be a valid xml', 400); } diff --git a/test/wsfed.tests.js b/test/wsfed.tests.js index e2fb4f4..b2b0a22 100644 --- a/test/wsfed.tests.js +++ b/test/wsfed.tests.js @@ -71,9 +71,9 @@ describe('wsfed', function () { }); }); - it('should return a 400', function(){ + it('should redirect to idp', function(){ expect(r.statusCode) - .to.equal(400); + .to.equal(302); }); }); From 86f8e81808dc67dde65ca0df5ce10e78f7f80f7d Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 6 May 2013 20:25:38 -0300 Subject: [PATCH 026/203] bump to 0.3.11 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 8ccdbd0..b12ec24 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.10", + "version": "0.3.11", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" From eaaba39ab2d3a6e63336bbfcc03fed46adefb4ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Mon, 10 Jun 2013 14:02:00 -0300 Subject: [PATCH 027/203] skip undefined attributes --- lib/passport-wsfed-saml2/saml.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index f6ede42..963344e 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -91,6 +91,7 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { attributes = (attributes instanceof Array) ? attributes : [attributes]; attributes.forEach(function (attribute) { var value = attribute.AttributeValue; + if(typeof value === 'undefined') return; profile[attribute['@'].Name] = value; }); } @@ -106,6 +107,7 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { attributes.forEach(function (attribute) { var value = attribute['saml:AttributeValue']; var attributeName = attribute['@'].AttributeNamespace + '/' + attribute['@'].AttributeName; + if(typeof value === 'undefined') return; profile[attributeName] = value; }); } @@ -162,4 +164,4 @@ SAML.prototype.validateResponse = function (samlAssertionString, callback) { }); }; -exports.SAML = SAML; \ No newline at end of file +exports.SAML = SAML; From 8ff069e892ba58cd7bfff46923dabfb560da741e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Mon, 10 Jun 2013 14:02:09 -0300 Subject: [PATCH 028/203] 0.3.12 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b12ec24..e8a3f11 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.11", + "version": "0.3.12", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha" From c1555bf8c4c06caf6fe9b343cfbebf6f069ed442 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Thu, 9 May 2013 23:31:03 -0300 Subject: [PATCH 029/203] samlp implementation Redirect-POST binding --- lib/passport-wsfed-saml2/saml.js | 90 +++++-- lib/passport-wsfed-saml2/samlp.js | 69 ++++++ lib/passport-wsfed-saml2/strategy.js | 106 +++++++-- lib/passport-wsfed-saml2/templates.js | 11 + .../templates/samlrequest.ejs | 8 + package.json | 8 +- test/fixture/samlp-server.js | 165 +++++++++++++ test/fixture/{server.js => wsfed-server.js} | 8 +- test/saml11.tests.js | 4 +- test/samlp.tests.js | 223 ++++++++++++++++++ test/wsfed.tests.js | 4 +- 11 files changed, 647 insertions(+), 49 deletions(-) create mode 100644 lib/passport-wsfed-saml2/samlp.js create mode 100644 lib/passport-wsfed-saml2/templates.js create mode 100644 lib/passport-wsfed-saml2/templates/samlrequest.ejs create mode 100644 test/fixture/samlp-server.js rename test/fixture/{server.js => wsfed-server.js} (98%) create mode 100644 test/samlp.tests.js diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 963344e..e0046f7 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -4,7 +4,6 @@ var xml2js = require('xml2js'); var xmlCrypto = require('xml-crypto'); var crypto = require('crypto'); var xmldom = require('xmldom'); -var querystring = require('querystring'); var SAML = function (options) { this.options = options; @@ -12,9 +11,16 @@ var SAML = function (options) { if (!options.cert && !options.thumbprint) { throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate'); } - if(!options.signaturePath){ - options.signaturePath = "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - } + + options.signaturePath = options.signaturePath || "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + + if (typeof options.validateSignature === 'undefined') { + options.validateSignature = true; + } + + if (typeof options.validateResponse === 'undefined') { + options.validateResponse = false; + } }; SAML.prototype.certToPEM = function (cert) { @@ -28,6 +34,9 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint) { var self = this; var doc = new xmldom.DOMParser().parseFromString(xml); var signature = xmlCrypto.xpath.SelectNodes(doc, this.options.signaturePath)[0]; + if (!signature) + return false; + var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); sig.keyInfoProvider = { getKeyInfo: function (key) { @@ -83,25 +92,66 @@ SAML.prototype.validateAudience = function (samlAssertion, realm, version) { }; SAML.prototype.parseAttributes = function (samlAssertion, version) { + function getAttributes(samlAssertion) { + if (samlAssertion['saml:AttributeStatement']) { + return samlAssertion['saml:AttributeStatement']['saml:Attribute']; + } else if (samlAssertion.AttributeStatement) { + return samlAssertion.AttributeStatement.Attribute; + } else { + return null; + } + } + + function getNameID20(samlAssertion) { + if (samlAssertion['saml:Subject']) { + return samlAssertion['saml:Subject']['saml:NameID']; + } else if (samlAssertion.Subject) { + return samlAssertion.Subject.NameID; + } else { + return null; + } + } + + function getNameID11(samlAssertion) { + if (samlAssertion['saml:AttributeStatement']) { + return samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']; + } else if (samlAssertion.AttributeStatement) { + return samlAssertion.AttributeStatement.Subject.NameIdentifier; + } else { + return null; + } + } + + function getAttributeValue20(attribute) { + if (attribute['saml:AttributeValue']) { + return (typeof attribute['saml:AttributeValue']) === "string" ? attribute['saml:AttributeValue'] : attribute['saml:AttributeValue']['#']; + } else if (attribute.AttributeValue) { + return (typeof attribute.AttributeValue) === "string" ? attribute.AttributeValue : attribute.AttributeValue['#']; + } else { + return null; + } + } + var profile = {}; - var attributes; + var nameId; + var attributes = getAttributes(samlAssertion); if (version === '2.0') { - attributes = samlAssertion.AttributeStatement.Attribute; if (attributes) { attributes = (attributes instanceof Array) ? attributes : [attributes]; attributes.forEach(function (attribute) { - var value = attribute.AttributeValue; + var value = getAttributeValue20(attribute); if(typeof value === 'undefined') return; profile[attribute['@'].Name] = value; }); } - if (samlAssertion.Subject.NameID) { - profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = samlAssertion.Subject.NameID; + nameId = getNameID20(samlAssertion); + if (nameId) { + nameId = (typeof nameId) === "string" ? nameId : nameId['#']; + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = nameId; } } else { - attributes = samlAssertion['saml:AttributeStatement']['saml:Attribute']; if (attributes) { attributes = (attributes instanceof Array) ? attributes : [attributes]; attributes.forEach(function (attribute) { @@ -112,7 +162,7 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { }); } - var nameId = samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']; + nameId = getNameID11(samlAssertion); if (nameId) { profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = typeof nameId === 'string' ? nameId : nameId['#']; } @@ -121,19 +171,29 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { return profile; }; -SAML.prototype.validateResponse = function (samlAssertionString, callback) { +SAML.prototype.validateSamlResponse = function (samlResponse, callback) { + var self = this; + + if (self.options.validateResponse && !self.validateSignature(samlResponse, self.options.cert, self.options.thumbprint)) { + return callback(new Error('Invalid signature'), null); + } + + return callback(); +}; + +SAML.prototype.validateSamlAssertion = function (samlAssertionString, callback) { var self = this; // Verify signature - if (!self.validateSignature(samlAssertionString, self.options.cert, self.options.thumbprint)) { + if (self.options.validateSignature && !self.validateSignature(samlAssertionString, self.options.cert, self.options.thumbprint)) { return callback(new Error('Invalid signature'), null); } var parser = new xml2js.Parser(); parser.parseString(samlAssertionString, function (err, samlAssertion) { - if(self.options.extractSAMLAssertion){ - samlAssertion = self.options.extractSAMLAssertion(samlAssertion) + if (self.options.extractSAMLAssertion){ + samlAssertion = self.options.extractSAMLAssertion(samlAssertion); } var version; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js new file mode 100644 index 0000000..fc08659 --- /dev/null +++ b/lib/passport-wsfed-saml2/samlp.js @@ -0,0 +1,69 @@ +var xmldom = require('xmldom'); +var qs = require('querystring'); +var zlib = require('zlib'); +var xtend = require('xtend'); +var templates = require('./templates'); + +var Samlp = module.exports = function Samlp (options) { + this.options = options || {}; + this.options.protocolBinding = options.protocolBinding || 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'; + if (typeof options.deflate === 'undefined') this.options.deflate = true; + +}; + +Samlp.prototype = { + getSamlRequestUrl: function (opts, callback) { + var options = xtend(opts || {}, this.options); + + var SAMLRequest = templates.samlrequest({ + ID: '_' + generateUniqueID(), + IssueInstant: generateInstant(), + Destination: options.identityProviderUrl, + Issuer: options.realm, + ProtocolBinding: options.protocolBinding, + AssertionConsumerServiceURL: options.callback + }); + + if (options.deflate) { + zlib.deflateRaw(new Buffer(SAMLRequest), function(err, buffer) { + if (err) return callback(err); + + callback(null, buildUrl(buffer)); + }); + } else { + callback(null, buildUrl(new Buffer(SAMLRequest))); + } + + function buildUrl(buffer) { + var url = options.identityProviderUrl + '?' + qs.encode( { SAMLRequest: buffer.toString('base64'), RelayState: options.RelayState || '' }); + return url; + } + }, + + decodeResponse: function(req) { + var decoded = new Buffer(req.body['SAMLResponse'], 'base64').toString(); + return decoded; + }, + + extractToken: function(samlpResponse) { + var doc = new xmldom.DOMParser().parseFromString(samlpResponse); + var token = doc.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'Assertion')[0]; + var tokenString = new xmldom.XMLSerializer().serializeToString(token); + + return tokenString; + } +}; + +function generateUniqueID() { + var chars = "abcdef0123456789"; + var uniqueID = ""; + for (var i = 0; i < 20; i++) { + uniqueID += chars.substr(Math.floor((Math.random()*15)), 1); + } + return uniqueID; +} + +function generateInstant() { + var date = new Date(); + return date.getUTCFullYear() + '-' + ('0' + (date.getUTCMonth()+1)).slice(-2) + '-' + ('0' + date.getUTCDate()).slice(-2) + 'T' + ('0' + date.getUTCHours()).slice(-2) + ":" + ('0' + date.getUTCMinutes()).slice(-2) + ":" + ('0' + date.getUTCSeconds()).slice(-2) + "Z"; +} \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index ca80fed..1287f42 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -2,6 +2,7 @@ var passport = require('passport'); var util = require('util'); var saml = require('./saml'); var wsfed = require('./wsfederation'); +var samlp = require('./samlp'); function Strategy (options, verify) { if (typeof options == 'function') { @@ -9,6 +10,8 @@ function Strategy (options, verify) { options = {}; } + this.options = options || {}; + if (!verify) { throw new Error('Windows Azure Access Control Service authentication strategy requires a verify function'); } @@ -18,50 +21,105 @@ function Strategy (options, verify) { passport.Strategy.call(this); this._verify = verify; - this._saml = new saml.SAML(options); + this._saml = new saml.SAML(this.options); this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); + this._samlp = new samlp(this.options); } util.inherits(Strategy, passport.Strategy); -Strategy.prototype.authenticate = function (req, options) { +Strategy.prototype.authenticate = function (req, opts) { var self = this; - if (req.body && req.method == 'POST' && req.body.wresult) { - if (req.body.wresult.indexOf('<') === -1) { - return self.fail('wresult should be a valid xml', 400); - } + var protocol = opts.protocol || 'wsfed'; - // We have a response, get the user identity out of it - var token = this._wsfed.extractToken(req); - self._saml.validateResponse(token, function (err, profile) { - if (err) { - return self.error(err); + function executeWsfed(req, options) { + if (req.body && req.method == 'POST' && req.body.wresult) { + if (req.body.wresult.indexOf('<') === -1) { + return self.fail('wresult should be a valid xml', 400); } - var verified = function (err, user, info) { + // We have a response, get the user identity out of it + var token = self._wsfed.extractToken(req); + self._saml.validateSamlAssertion(token, function (err, profile) { if (err) { return self.error(err); } - if (!user) { - return self.fail(info); - } + var verified = function (err, user, info) { + if (err) { + return self.error(err); + } + + if (!user) { + return self.fail(info); + } + + self.success(user, info); + }; + + self._verify(profile, verified); + }); + } else { + // Initiate new ws-fed authentication request + var params = self.authorizationParams(opts); + var idpUrl = self._wsfed.getRequestSecurityTokenUrl(params); + self.redirect(idpUrl); + } + } + + function executeSamlp(req, options) { + if (req.body && req.method == 'POST' && req.body.SAMLResponse) { + var samlResponse = self._samlp.decodeResponse(req); + if (samlResponse.indexOf('<') === -1) { + return self.fail('SAMLResponse should be a valid xml', 400); + } - self.success(user, info); - }; + // We have a response, get the user identity out of it + self._saml.validateSamlResponse(samlResponse, function (err) { + if (err) return self.fail(err, 400); - self._verify(profile, verified); - }); - } else { - // Initiate new ws-fed authentication request - var params = this.authorizationParams(options); - var idpUrl = this._wsfed.getRequestSecurityTokenUrl(params); - self.redirect(idpUrl); + var token = self._samlp.extractToken(samlResponse); + self._saml.validateSamlAssertion(token, function (err, profile) { + if (err) return self.fail(err, 400); + + var verified = function (err, user, info) { + if (err) return self.error(err); + + if (!user) return self.fail(info); + + self.success(user, info); + }; + + self._verify(profile, verified); + }); + }); + } else { + // Initiate new samlp authentication request + self._samlp.getSamlRequestUrl(opts, function(err, url) { + if (err) return self.error(err); + + self.redirect(url); + }); + } + } + + switch (protocol) { + case 'wsfed': + executeWsfed(req, this.options); + break; + case 'samlp': + executeSamlp(req, this.options); + break; + default: + throw new Error('not supported protocol: ' + protocol); } + + }; Strategy.prototype.authorizationParams = function(options) { return {}; }; + module.exports = Strategy; \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/templates.js b/lib/passport-wsfed-saml2/templates.js new file mode 100644 index 0000000..039a528 --- /dev/null +++ b/lib/passport-wsfed-saml2/templates.js @@ -0,0 +1,11 @@ +var ejs = require('ejs'); +var fs = require('fs'); +var path = require('path'); + +var templates = fs.readdirSync(path.join(__dirname, 'templates')); + +templates.forEach(function (tmplFile) { + var content = fs.readFileSync(path.join(__dirname, 'templates', tmplFile)); + var template = ejs.compile(content.toString()); + exports[tmplFile.slice(0, -4)] = template; +}); \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/templates/samlrequest.ejs b/lib/passport-wsfed-saml2/templates/samlrequest.ejs new file mode 100644 index 0000000..7a88cae --- /dev/null +++ b/lib/passport-wsfed-saml2/templates/samlrequest.ejs @@ -0,0 +1,8 @@ + AssertionConsumerServiceURL="<%= AssertionConsumerServiceURL %>" <% } %> + <% if (AssertionConsumerServiceURL) { %> Destination="<%= Destination %>" <% } %> + ID="<%= ID %>" + IssueInstant="<%= IssueInstant %>" + ProtocolBinding="<%= ProtocolBinding %>" Version="2.0"> + <%= Issuer %> + \ No newline at end of file diff --git a/package.json b/package.json index e8a3f11..a20bfbc 100644 --- a/package.json +++ b/package.json @@ -3,7 +3,7 @@ "version": "0.3.12", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { - "test": "mocha" + "test": "mocha --reporter spec" }, "author": { "name": "Matias Woloski", @@ -23,7 +23,8 @@ "xml2js": "0.1.x", "xml-crypto": "~0.0.10", "xmldom": "=0.1.13", - "xtend": "~2.0.3" + "xtend": "~2.0.3", + "ejs": "~0.8.3" }, "devDependencies": { "chai": "~1.5.0", @@ -38,7 +39,8 @@ "moment": "~1.7.2", "saml": "~0.2.7", "wsfed": "~0.3.4", - "should": "~1.1.0" + "should": "~1.1.0", + "samlp": "~0.2.0" }, "engines": { "node": ">= 0.6.0" diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js new file mode 100644 index 0000000..1fe68a6 --- /dev/null +++ b/test/fixture/samlp-server.js @@ -0,0 +1,165 @@ +var express = require('express'); +var http = require('http'); +var samlp = require('samlp'); +var xtend = require('xtend'); +var fs = require('fs'); +var path = require('path'); + +var passport = require('passport'); +var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; + +var identityProviderUrl = 'http://localhost:5051/samlp'; +var relayState = 'somestate'; + +passport.use('samlp', new Strategy( + { + validateSignature: true, + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: identityProviderUrl, + thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + }, + function(profile, done) { + return done(null, profile); + }) +); + +passport.use('samlp-signedresponse', new Strategy( + { + validateSignature: false, + validateResponse: true, + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: identityProviderUrl, + thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + }, + function(profile, done) { + return done(null, profile); + }) +); + +passport.use('samlp-signedresponse-invalidcert', new Strategy( + { + validateSignature: false, + validateResponse: true, + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: identityProviderUrl, + thumbprint: '11111111111111111a5b93a43572eb2376fed309' + }, + function(profile, done) { + return done(null, profile); + }) +); + +passport.use('samlp-invalidcert', new Strategy( + { + validateSignature: true, + validateResponse: false, + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: identityProviderUrl, + thumbprint: '11111111111111111a5b93a43572eb2376fed309' + }, + function(profile, done) { + return done(null, profile); + }) +); + +var fakeUser = { + id: '12345678', + displayName: 'John Foo', + name: { + familyName: 'Foo', + givenName: 'John' + }, + emails: [ + { + type: 'work', + value: 'jfoo@gmail.com' + } + ] +}; + +var credentials = { + cert: fs.readFileSync(path.join(__dirname, '../test-auth0.pem')), + key: fs.readFileSync(path.join(__dirname, '../test-auth0.key')) +}; + +module.exports.options = {}; + +module.exports.start = function(options, callback){ + module.exports.options = options; + if (typeof options === 'function') { + callback = options; + module.exports.options = {}; + } + + var app = express(); + + app.configure(function(){ + this.use(express.bodyParser()); + this.use(passport.initialize()); + this.use(passport.session()); + this.use(function(req,res,next){ + req.user = fakeUser; + next(); + }); + }); + + function getPostURL (audience, samlRequestDom, req, callback) { + callback(null, 'http://localhost:5051/callback'); + } + + //configure samlp middleware + app.get('/samlp', function(req, res, next) { + samlp.auth(xtend({}, { + issuer: 'urn:fixture-test', + getPostURL: getPostURL, + cert: credentials.cert, + key: credentials.key + }, module.exports.options))(req, res); + }); + + app.get('/login', passport.authenticate('samlp', { protocol: 'samlp', RelayState: relayState })); + + app.post('/callback', + function(req, res, next) { + //console.log('req.body'); + next(); + }, + passport.authenticate('samlp', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + + app.post('/callback/samlp-signedresponse', + passport.authenticate('samlp-signedresponse', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + + app.post('/callback/samlp-signedresponse-invalidcert', + passport.authenticate('samlp-signedresponse-invalidcert', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + + app.post('/callback/samlp-invalidcert', + passport.authenticate('samlp-invalidcert', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + + var server = http.createServer(app).listen(5051, callback); + module.exports.close = server.close.bind(server); +}; + +module.exports.relayState = relayState; +module.exports.identityProviderUrl = identityProviderUrl; +module.exports.fakeUser = fakeUser; +module.exports.credentials = credentials; diff --git a/test/fixture/server.js b/test/fixture/wsfed-server.js similarity index 98% rename from test/fixture/server.js rename to test/fixture/wsfed-server.js index ba1a55e..3954f19 100644 --- a/test/fixture/server.js +++ b/test/fixture/wsfed-server.js @@ -1,12 +1,13 @@ var express = require('express'); var http = require('http'); -var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; -var passport = require('passport'); var wsfed = require('wsfed'); var xtend = require('xtend'); var fs = require('fs'); var path = require('path'); +var passport = require('passport'); +var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; + passport.use(new Strategy( { path: '/callback', @@ -80,13 +81,12 @@ module.exports.start = function(options, callback){ key: credentials.key }, options))); - app.post('/callback', + app.post('/callback', passport.authenticate('wsfed-saml2'), function(req, res) { res.json(req.user); }); - var server = http.createServer(app).listen(5050, callback); module.exports.close = server.close.bind(server); }; diff --git a/test/saml11.tests.js b/test/saml11.tests.js index 7c4feee..38e8e2f 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -30,7 +30,7 @@ describe('saml 1.1', function () { var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); - var profile = saml_passport.validateResponse(signedAssertion, function(error, profile) { + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { assert.ok(profile); assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); @@ -49,7 +49,7 @@ describe('saml 1.1', function () { var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0', realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', checkExpiration: false}); // dont check expiration since we are harcoding the token - var profile = saml_passport.validateResponse(signedAssertion, function(error, profile) { + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { assert.ok(profile); done(); diff --git a/test/samlp.tests.js b/test/samlp.tests.js new file mode 100644 index 0000000..66d323d --- /dev/null +++ b/test/samlp.tests.js @@ -0,0 +1,223 @@ +var expect = require('chai').expect; +var server = require('./fixture/samlp-server'); +var request = require('request'); +var qs = require('querystring'); +var cheerio = require('cheerio'); +var xmldom = require('xmldom'); + +describe('samlp', function () { + before(function (done) { + server.start(done); + }); + + after(function (done) { + server.close(done); + }); + + describe('samlp flow with assertion signed', function () { + var r, bod; + + before(function (done) { + doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', + 'http://localhost:5051/callback', function(err, resp) { + if (err) return done(err); + r = resp.response; + bod = resp.body; + done(); + }); + }); + + it('should be valid signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']) + .to.equal(server.fakeUser.id); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) + .to.equal(server.fakeUser.emails[0].value); + }); + }); + + describe('samlp flow with assertion signed with different cert', function () { + var r, bod; + + before(function (done) { + server.options = { signResponse: true }; + doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', + 'http://localhost:5051/callback/samlp-invalidcert', function(err, resp) { + if (err) return done(err); + r = resp.response; + bod = resp.body; + done(); + }); + }); + + it('should return 400 (invalid signature)', function(){ + expect(r.statusCode) + .to.equal(400); + }); + }); + + describe('samlp flow with response signed', function () { + var r, bod; + + before(function (done) { + server.options = { signResponse: true }; + doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', + 'http://localhost:5051/callback/samlp-signedresponse', function(err, resp) { + if (err) return done(err); + r = resp.response; + bod = resp.body; + done(); + }); + }); + + it('should be valid signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']) + .to.equal(server.fakeUser.id); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) + .to.equal(server.fakeUser.emails[0].value); + }); + + }); + + describe('samlp flow with response signed with different cert', function () { + var r, bod; + + before(function (done) { + server.options = { signResponse: true }; + doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', + 'http://localhost:5051/callback/samlp-signedresponse-invalidcert', function(err, resp) { + if (err) return done(err); + r = resp.response; + bod = resp.body; + done(); + }); + }); + + it('should return 400 (invalid signature)', function(){ + expect(r.statusCode) + .to.equal(400); + }); + }); + + describe('missing SAMLResponse in POST', function () { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback' + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + expect(r.headers.location.split('?')[0]) + .to.equal('http://localhost:5051/samlp'); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + expect(querystring).to.have.property('RelayState'); + }); + }); + + describe('invalid SAMLResponse in POST', function () { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback', + form: { SAMLResponse: 'foo' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should return a 400', function(){ + expect(r.statusCode) + .to.equal(400); + }); + }); + + describe('samlp request', function () { + var r, bod; + + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login' + }, function (err, resp, b){ + if(err) return callback(err); + r = resp; + bod = b; + done(); + }); + }); + + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + }); + + it('should have SAMLRequest querystring', function(){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + }); + + it('should have RelayState querystring', function(){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('RelayState'); + expect(querystring.RelayState).to.equal(server.relayState); + }); + + }); +}); + +function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { + request.get({ + jar: request.jar(), + uri: samlRequestUrl + }, function (err, response, b){ + if(err) return callback(err); + expect(response.statusCode) + .to.equal(200); + + var $ = cheerio.load(b); + var SAMLResponse = $('input[name="SAMLResponse"]').attr('value'); + var RelayState = $('input[name="RelayState"]').attr('value'); + + + request.post({ + jar: request.jar(), + uri: callbackEndpoint, + form: { SAMLResponse: SAMLResponse, RelayState: RelayState } + }, function(err, response, body) { + if(err) return callback(err); + callback(null, { response: response, body: body }); + }); + }); +} \ No newline at end of file diff --git a/test/wsfed.tests.js b/test/wsfed.tests.js index b2b0a22..b2c36cf 100644 --- a/test/wsfed.tests.js +++ b/test/wsfed.tests.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var server = require('./fixture/server'); +var server = require('./fixture/wsfed-server'); var request = require('request'); var cheerio = require('cheerio'); @@ -28,12 +28,14 @@ describe('wsfed', function () { $ = cheerio.load(b); var wresult = $('input[name="wresult"]').attr('value'); var wa = $('input[name="wa"]').attr('value'); + request.post({ jar: request.jar(), uri: 'http://localhost:5050/callback', form: { wresult: wresult, wa: wa } }, function(err, response, body) { if(err) return done(err); + r = response; bod = body; done(); From 737ad722b05ce8dbebd67ca1cd392a73b7917025 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Thu, 9 May 2013 23:41:05 -0300 Subject: [PATCH 030/203] saml2 assertion validation tests --- lib/passport-wsfed-saml2/saml.js | 13 ++++++++++++- lib/passport-wsfed-saml2/samlp.js | 7 +++++-- package.json | 6 +++--- test/saml11.tests.js | 2 +- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index e0046f7..876e431 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -214,7 +214,18 @@ SAML.prototype.validateSamlAssertion = function (samlAssertionString, callback) var profile = self.parseAttributes(samlAssertion, version); - profile.issuer = version === '2.0' ? samlAssertion.Issuer : samlAssertion['@'].Issuer; + var issuer; + if (samlAssertion['saml:Issuer']) { + issuer = samlAssertion['saml:Issuer']; + } else if (samlAssertion.Issuer) { + issuer = samlAssertion.Issuer; + } else if (samlAssertion['@'].Issuer) { + issuer = samlAssertion['@'].Issuer; + } else { + issuer = null; + } + + profile.issuer = issuer; if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index fc08659..b2fc950 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -22,8 +22,11 @@ Samlp.prototype = { Issuer: options.realm, ProtocolBinding: options.protocolBinding, AssertionConsumerServiceURL: options.callback - }); - + }).replace(/\r\n/g, '') + .replace(/\n/g,'') + .replace(/>(\s*)<') //unindent + .trim(); + if (options.deflate) { zlib.deflateRaw(new Buffer(SAMLRequest), function(err, buffer) { if (err) return callback(err); diff --git a/package.json b/package.json index a20bfbc..8c9b53a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.3.12", + "version": "0.5.0", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha --reporter spec" @@ -22,7 +22,7 @@ "passport": "0.1.x", "xml2js": "0.1.x", "xml-crypto": "~0.0.10", - "xmldom": "=0.1.13", + "xmldom": "~0.1.15", "xtend": "~2.0.3", "ejs": "~0.8.3" }, @@ -37,7 +37,7 @@ "xpath": "0.0.5", "xtend": "~2.0.3", "moment": "~1.7.2", - "saml": "~0.2.7", + "saml": "~0.3.1", "wsfed": "~0.3.4", "should": "~1.1.0", "samlp": "~0.2.0" diff --git a/test/saml11.tests.js b/test/saml11.tests.js index 38e8e2f..76d04c5 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -6,7 +6,7 @@ var assert = require('assert'), saml11 = require('saml').Saml11, SamlPassport = require('../lib/passport-wsfed-saml2/saml').SAML; -describe('saml 1.1', function () { +describe('saml 1.1 assertion', function () { it('should parse attributes', function (done) { // cert created with: From 5142ec0552def9c390e520672d24c9885e139a64 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Fri, 14 Jun 2013 14:43:57 -0300 Subject: [PATCH 031/203] saml2 tests, unicode tests, change the way we handle errors --- lib/passport-wsfed-saml2/saml.js | 50 ++++++++++++++++++-------- package.json | 9 +++-- test/interop.tests.js | 62 ++++++++++++++++++++++++++++++++ test/saml11.tests.js | 47 +++++++++++++++++++++++- test/saml20.tests.js | 45 +++++++++++++++++++++++ 5 files changed, 192 insertions(+), 21 deletions(-) create mode 100644 test/interop.tests.js create mode 100644 test/saml20.tests.js diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 876e431..ff32173 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -30,17 +30,17 @@ SAML.prototype.certToPEM = function (cert) { return cert; }; -SAML.prototype.validateSignature = function (xml, cert, thumbprint) { +SAML.prototype.validateSignature = function (xml, cert, thumbprint, callback) { var self = this; var doc = new xmldom.DOMParser().parseFromString(xml); var signature = xmlCrypto.xpath.SelectNodes(doc, this.options.signaturePath)[0]; if (!signature) - return false; + return callback(new Error('Signature is missing (xpath: ' + this.options.signaturePath + ')')); var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); sig.keyInfoProvider = { getKeyInfo: function (key) { - return "" + return ""; }, getKey: function (keyInfo) { if (thumbprint) { @@ -48,7 +48,7 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint) { if (embeddedSignature.length > 0) { var base64cer = embeddedSignature[0].firstChild.toString(); var shasum = crypto.createHash('sha1'); - var der = new Buffer(base64cer, 'base64').toString('binary') + var der = new Buffer(base64cer, 'base64').toString('binary'); shasum.update(der); self.calculatedThumbprint = shasum.digest('hex'); @@ -62,12 +62,20 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint) { sig.loadSignature(signature.toString()); var valid = sig.checkSignature(xml); + if (!valid) { + return callback(new Error('Signature check errors: ' + sig.validationErrors)); + } + if (cert) { - return valid; + return callback(null); } if (thumbprint) { - return valid && this.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase(); + if (this.calculatedThumbprint.toUpperCase() !== thumbprint.toUpperCase()) { + return callback(new Error('Invalid thumbprint (expected: ' + this.calculatedThumbprint.toUpperCase() + '. actual: ' + thumbprint.toUpperCase() + ')' )); + } + + return callback(); } }; @@ -173,22 +181,34 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { SAML.prototype.validateSamlResponse = function (samlResponse, callback) { var self = this; - - if (self.options.validateResponse && !self.validateSignature(samlResponse, self.options.cert, self.options.thumbprint)) { - return callback(new Error('Invalid signature'), null); + if (!self.options.validateResponse) { + return callback(); } - return callback(); + // validates signature + self.validateSignature(samlResponse, self.options.cert, self.options.thumbprint, function(err) { + if (err) return callback(err); + + return callback(); + }); }; SAML.prototype.validateSamlAssertion = function (samlAssertionString, callback) { var self = this; - - // Verify signature - if (self.options.validateSignature && !self.validateSignature(samlAssertionString, self.options.cert, self.options.thumbprint)) { - return callback(new Error('Invalid signature'), null); + if (!self.options.validateSignature) { + return self._parseAssertion(samlAssertionString, callback); } + // validates signature and parse assertion + self.validateSignature(samlAssertionString, self.options.cert, self.options.thumbprint, function(err) { + if (err) return callback(err); + + self._parseAssertion(samlAssertionString, callback); + }); +}; + +SAML.prototype._parseAssertion = function(samlAssertionString, callback) { + var self = this; var parser = new xml2js.Parser(); parser.parseString(samlAssertionString, function (err, samlAssertion) { @@ -224,7 +244,7 @@ SAML.prototype.validateSamlAssertion = function (samlAssertionString, callback) } else { issuer = null; } - + profile.issuer = issuer; if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { diff --git a/package.json b/package.json index 8c9b53a..2102320 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "dependencies": { "passport": "0.1.x", "xml2js": "0.1.x", - "xml-crypto": "~0.0.10", + "xml-crypto": "git://github.com/auth0/xml-crypto.git", "xmldom": "~0.1.15", "xtend": "~2.0.3", "ejs": "~0.8.3" @@ -33,14 +33,13 @@ "request": "~2.14.0", "xmldom": "~0.1.13", "cheerio": "~0.10.7", - "xml-crypto": "0.0.10", "xpath": "0.0.5", "xtend": "~2.0.3", "moment": "~1.7.2", - "saml": "~0.3.1", - "wsfed": "~0.3.4", + "saml": "~0.4.2", + "wsfed": "~0.3.5", "should": "~1.1.0", - "samlp": "~0.2.0" + "samlp": "~0.4.3" }, "engines": { "node": ">= 0.6.0" diff --git a/test/interop.tests.js b/test/interop.tests.js new file mode 100644 index 0000000..150bb9e --- /dev/null +++ b/test/interop.tests.js @@ -0,0 +1,62 @@ +var assert = require('assert'), + fs = require('fs'), + utils = require('./utils'), + moment = require('moment'), + should = require('should'), + saml11 = require('saml').Saml11, + SamlPassport = require('../lib/passport-wsfed-saml2/saml').SAML; + +var Parser = require('xmldom').DOMParser, + SignedXml = require('xml-crypto').SignedXml; + +describe('saml 1.1 assertion', function () { + + it('should validate an assertion from office365', function (done) { + var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; + + var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0', + realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', + checkExpiration: false}); // dont check expiration since we are harcoding the token + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + + assert.ok(profile); + done(); + }); + + }); + + // it('should validate a saml response from datapower', function (done) { + // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; + // //var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage'; + + // // var sig = new SignedXml(null, { signatureAlgorithm: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', idAttribute: 'ID' }); + // // sig.addReference("//*[local-name(.)='Response' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']", + // // ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"], + // // 'http://www.w3.org/2000/09/xmldsig#sha1'); + + // // sig.signingKey = fs.readFileSync(__dirname + '/test-auth0.key'); + + // // sig.keyInfoProvider = { + // // getKeyInfo: function () { + // // return "" + fs.readFileSync(__dirname + '/test-auth0.cer') + ""; + // // } + // // }; + // // sig.computeSignature(SAMLResponse); + // // SAMLResponse = sig.getSignedXml(); + + // //console.log(SAMLResponse) + // // done(); + + // var saml_passport = new SamlPassport({thumbprint: 'ea410870b7699f08888b0b5ef0fbf11a6a157b4b', + // realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', + // validateResponse: true, + // checkExpiration: false}); // dont check expiration since we are harcoding the token + // var profile = saml_passport.validateSamlResponse(SAMLResponse, function(err, profile) { + // if (err) return done(err); + + // assert.ok(profile); + // done(); + // }); + + // }); +}); diff --git a/test/saml11.tests.js b/test/saml11.tests.js index 76d04c5..a3a0fea 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -30,7 +30,7 @@ describe('saml 1.1 assertion', function () { var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); - var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { assert.ok(profile); assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); @@ -43,6 +43,37 @@ describe('saml 1.1 assertion', function () { }); + it('should handle unicode', function (done) { + + var options = { + cert: fs.readFileSync(__dirname + '/test-auth0.pem'), + key: fs.readFileSync(__dirname + '/test-auth0.key'), + issuer: 'urn:issuer', + lifetimeInSeconds: 600, + audiences: 'urn:myapp', + attributes: { + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'сообщить@bar.com', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'сообщить вКонтакте' + }, + nameIdentifier: 'вКонтакте', + nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' + }; + + var signedAssertion = saml11.create(options); + + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + + assert.ok(profile); + assert.equal('вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); + assert.equal('сообщить вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); + assert.equal('сообщить@bar.com', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']); + done(); + }); + + }); + it('should validate an assertion from office365', function (done) { var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; @@ -56,4 +87,18 @@ describe('saml 1.1 assertion', function () { }); }); + + it('should return error if validation fails', function (done) { + var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; + + var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe1', // WRONG thumbprint + realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', + checkExpiration: false}); // dont check expiration since we are harcoding the token + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + + assert.ok(error.message.indexOf('Invalid thumbprint') === 0); + done(); + }); + + }); }); diff --git a/test/saml20.tests.js b/test/saml20.tests.js new file mode 100644 index 0000000..2ec52ec --- /dev/null +++ b/test/saml20.tests.js @@ -0,0 +1,45 @@ +var assert = require('assert'), + fs = require('fs'), + utils = require('./utils'), + moment = require('moment'), + should = require('should'), + saml20 = require('saml').Saml20, + SamlPassport = require('../lib/passport-wsfed-saml2/saml').SAML; + +describe('saml 2.0 assertion', function () { + + it('should parse attributes', function (done) { + // cert created with: + // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem + + var options = { + cert: fs.readFileSync(__dirname + '/test-auth0.pem'), + key: fs.readFileSync(__dirname + '/test-auth0.key'), + issuer: 'urn:issuer', + lifetimeInSeconds: 600, + audiences: 'urn:myapp', + attributes: { + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'foo@bar.com', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar' + }, + nameIdentifier: 'foo', + nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' + }; + + var signedAssertion = saml20.create(options); + + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + + assert.ok(profile); + assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); + assert.equal('Foo Bar', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); + assert.equal('foo@bar.com', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']); + assert.equal('foo@bar.com', profile['email']); + assert.equal('urn:issuer', profile['issuer']); + done(); + }); + + }); +}); From 94dabcb14096f867cb74f492a1bc6438e383b823 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 8 Jul 2013 11:23:46 -0300 Subject: [PATCH 032/203] refactoring to support signed responses and assertions smarter --- lib/passport-wsfed-saml2/saml.js | 74 ++++++++++-------------- lib/passport-wsfed-saml2/samlp.js | 52 +++++++++++++++-- lib/passport-wsfed-saml2/strategy.js | 34 +++++------ lib/passport-wsfed-saml2/wsfederation.js | 4 +- package.json | 3 +- test/fixture/samlp-server.js | 26 ++++++--- test/interop.tests.js | 1 - test/samlp.tests.js | 55 ++++++++++++++++++ 8 files changed, 168 insertions(+), 81 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index ff32173..6f599ae 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -4,6 +4,7 @@ var xml2js = require('xml2js'); var xmlCrypto = require('xml-crypto'); var crypto = require('crypto'); var xmldom = require('xmldom'); +var xpath = require('xpath'); var SAML = function (options) { this.options = options; @@ -11,16 +12,6 @@ var SAML = function (options) { if (!options.cert && !options.thumbprint) { throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate'); } - - options.signaturePath = options.signaturePath || "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - - if (typeof options.validateSignature === 'undefined') { - options.validateSignature = true; - } - - if (typeof options.validateResponse === 'undefined') { - options.validateResponse = false; - } }; SAML.prototype.certToPEM = function (cert) { @@ -30,12 +21,14 @@ SAML.prototype.certToPEM = function (cert) { return cert; }; -SAML.prototype.validateSignature = function (xml, cert, thumbprint, callback) { +SAML.prototype.validateSignature = function (xml, options, callback) { var self = this; - var doc = new xmldom.DOMParser().parseFromString(xml); - var signature = xmlCrypto.xpath.SelectNodes(doc, this.options.signaturePath)[0]; + if (typeof xml === 'string') xml = new xmldom.DOMParser().parseFromString(xml); + + var signaturePath = this.options.signaturePath || options.signaturePath; + var signature = xpath.select(signaturePath, xml)[0]; if (!signature) - return callback(new Error('Signature is missing (xpath: ' + this.options.signaturePath + ')')); + return callback(new Error('Signature is missing (xpath: ' + signaturePath + ')')); var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); sig.keyInfoProvider = { @@ -43,8 +36,8 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint, callback) { return ""; }, getKey: function (keyInfo) { - if (thumbprint) { - var embeddedSignature = keyInfo[0].getElementsByTagName("X509Certificate"); + if (options.thumbprint) { + var embeddedSignature = keyInfo[0].getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate"); if (embeddedSignature.length > 0) { var base64cer = embeddedSignature[0].firstChild.toString(); var shasum = crypto.createHash('sha1'); @@ -56,23 +49,23 @@ SAML.prototype.validateSignature = function (xml, cert, thumbprint, callback) { } } - return self.certToPEM(cert); + return self.certToPEM(options.cert); } }; sig.loadSignature(signature.toString()); - var valid = sig.checkSignature(xml); + var valid = sig.checkSignature(xml.toString()); if (!valid) { return callback(new Error('Signature check errors: ' + sig.validationErrors)); } - if (cert) { - return callback(null); + if (options.cert) { + return callback(); } - if (thumbprint) { - if (this.calculatedThumbprint.toUpperCase() !== thumbprint.toUpperCase()) { - return callback(new Error('Invalid thumbprint (expected: ' + this.calculatedThumbprint.toUpperCase() + '. actual: ' + thumbprint.toUpperCase() + ')' )); + if (options.thumbprint) { + if (this.calculatedThumbprint.toUpperCase() !== options.thumbprint.toUpperCase()) { + return callback(new Error('Invalid thumbprint (configured: ' + options.thumbprint.toUpperCase() + '. calculated: ' + this.calculatedThumbprint.toUpperCase() + ')' )); } return callback(); @@ -179,38 +172,29 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { return profile; }; -SAML.prototype.validateSamlResponse = function (samlResponse, callback) { +SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { var self = this; - if (!self.options.validateResponse) { - return callback(); - } - // validates signature - self.validateSignature(samlResponse, self.options.cert, self.options.thumbprint, function(err) { - if (err) return callback(err); - - return callback(); - }); -}; + if (typeof samlAssertion === 'string') + samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion); -SAML.prototype.validateSamlAssertion = function (samlAssertionString, callback) { - var self = this; - if (!self.options.validateSignature) { - return self._parseAssertion(samlAssertionString, callback); - } - - // validates signature and parse assertion - self.validateSignature(samlAssertionString, self.options.cert, self.options.thumbprint, function(err) { + self.validateSignature(samlAssertion, { + cert: self.options.cert, + thumbprint: self.options.thumbprint, + signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) { if (err) return callback(err); - self._parseAssertion(samlAssertionString, callback); + self.parseAssertion(samlAssertion, callback); }); }; -SAML.prototype._parseAssertion = function(samlAssertionString, callback) { +SAML.prototype.parseAssertion = function(samlAssertion, callback) { var self = this; + if (typeof samlAssertion !== 'string') + samlAssertion = samlAssertion.toString(); + var parser = new xml2js.Parser(); - parser.parseString(samlAssertionString, function (err, samlAssertion) { + parser.parseString(samlAssertion, function (err, samlAssertion) { if (self.options.extractSAMLAssertion){ samlAssertion = self.options.extractSAMLAssertion(samlAssertion); diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index b2fc950..04b9ddc 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -1,14 +1,16 @@ var xmldom = require('xmldom'); +var xpath = require('xpath'); var qs = require('querystring'); var zlib = require('zlib'); var xtend = require('xtend'); var templates = require('./templates'); -var Samlp = module.exports = function Samlp (options) { +var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; this.options.protocolBinding = options.protocolBinding || 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'; if (typeof options.deflate === 'undefined') this.options.deflate = true; + this._saml = saml; }; Samlp.prototype = { @@ -48,12 +50,50 @@ Samlp.prototype = { return decoded; }, - extractToken: function(samlpResponse) { - var doc = new xmldom.DOMParser().parseFromString(samlpResponse); - var token = doc.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'Assertion')[0]; - var tokenString = new xmldom.XMLSerializer().serializeToString(token); + extractAssertion: function(samlpResponse) { + if (typeof samlpResponse === 'string') + samlpResponse = new xmldom.DOMParser().parseFromString(samlpResponse); + + var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; + var token = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion')[0]; + // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion + if (token.prefix && !token.getAttributeNS(saml2Namespace, token.prefix)) { + token.setAttribute('xmlns:' + token.prefix, token.lookupNamespaceURI(token.prefix)); + } + + return token; + }, + + validateSamlResponse: function (samlResponse, callback) { + var self = this; - return tokenString; + if (typeof samlResponse === 'string') + samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); + + var assertion = self.extractAssertion(samlResponse); + + var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; + var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isAssertionSigned = xpath.select(samlAssertionSignaturePath, assertion).length > 0; + + if (!isResponseSigned && !isAssertionSigned) + return callback(new Error('neither the response nor the assertion are signed')); + + if (isResponseSigned) { + self._saml.validateSignature(samlResponse, { + cert: self.options.cert, + thumbprint: self.options.thumbprint, + signaturePath: samlResponseSignaturePath }, function(err) { + if (err) return callback(err); + + if (!isAssertionSigned) return self._saml.parseAssertion(assertion, callback); + + return self._saml.validateSamlAssertion(assertion, callback); + }); + } else if (isAssertionSigned) { + return self._saml.validateSamlAssertion(assertion, callback); + } } }; diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 1287f42..f2e5c2a 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -3,6 +3,7 @@ var util = require('util'); var saml = require('./saml'); var wsfed = require('./wsfederation'); var samlp = require('./samlp'); +var xmldom = require('xmldom'); function Strategy (options, verify) { if (typeof options == 'function') { @@ -11,9 +12,10 @@ function Strategy (options, verify) { } this.options = options || {}; + this.options.protocol = this.options.protocol || 'wsfed'; if (!verify) { - throw new Error('Windows Azure Access Control Service authentication strategy requires a verify function'); + throw new Error('this strategy requires a verify function'); } this.name = 'wsfed-saml2'; @@ -23,16 +25,16 @@ function Strategy (options, verify) { this._verify = verify; this._saml = new saml.SAML(this.options); this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); - this._samlp = new samlp(this.options); + this._samlp = new samlp(this.options, this._saml); } util.inherits(Strategy, passport.Strategy); Strategy.prototype.authenticate = function (req, opts) { var self = this; - var protocol = opts.protocol || 'wsfed'; + var protocol = opts.protocol || this.options.protocol; - function executeWsfed(req, options) { + function executeWsfed(req) { if (req.body && req.method == 'POST' && req.body.wresult) { if (req.body.wresult.indexOf('<') === -1) { return self.fail('wresult should be a valid xml', 400); @@ -67,7 +69,7 @@ Strategy.prototype.authenticate = function (req, opts) { } } - function executeSamlp(req, options) { + function executeSamlp(req) { if (req.body && req.method == 'POST' && req.body.SAMLResponse) { var samlResponse = self._samlp.decodeResponse(req); if (samlResponse.indexOf('<') === -1) { @@ -75,23 +77,19 @@ Strategy.prototype.authenticate = function (req, opts) { } // We have a response, get the user identity out of it - self._saml.validateSamlResponse(samlResponse, function (err) { + var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); + self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { if (err) return self.fail(err, 400); + + var verified = function (err, user, info) { + if (err) return self.error(err); - var token = self._samlp.extractToken(samlResponse); - self._saml.validateSamlAssertion(token, function (err, profile) { - if (err) return self.fail(err, 400); - - var verified = function (err, user, info) { - if (err) return self.error(err); - - if (!user) return self.fail(info); + if (!user) return self.fail(info); - self.success(user, info); - }; + self.success(user, info); + }; - self._verify(profile, verified); - }); + self._verify(profile, verified); }); } else { // Initiate new samlp authentication request diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index 34ba272..fac4372 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -29,11 +29,9 @@ WsFederation.prototype = { extractToken: function(req) { var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']); - var token = doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0].firstChild; - var tokenString = new xmldom.XMLSerializer().serializeToString(token); - return tokenString; + return token; } }; diff --git a/package.json b/package.json index 2102320..158e8ee 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,8 @@ "xml-crypto": "git://github.com/auth0/xml-crypto.git", "xmldom": "~0.1.15", "xtend": "~2.0.3", - "ejs": "~0.8.3" + "ejs": "~0.8.3", + "xpath": "0.0.5" }, "devDependencies": { "chai": "~1.5.0", diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 1fe68a6..864e963 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -13,7 +13,6 @@ var relayState = 'somestate'; passport.use('samlp', new Strategy( { - validateSignature: true, path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, @@ -26,8 +25,6 @@ passport.use('samlp', new Strategy( passport.use('samlp-signedresponse', new Strategy( { - validateSignature: false, - validateResponse: true, path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, @@ -40,8 +37,6 @@ passport.use('samlp-signedresponse', new Strategy( passport.use('samlp-signedresponse-invalidcert', new Strategy( { - validateSignature: false, - validateResponse: true, path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, @@ -54,8 +49,6 @@ passport.use('samlp-signedresponse-invalidcert', new Strategy( passport.use('samlp-invalidcert', new Strategy( { - validateSignature: true, - validateResponse: false, path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, @@ -66,6 +59,18 @@ passport.use('samlp-invalidcert', new Strategy( }) ); +passport.use('samlp-signedresponse-signedassertion', new Strategy( + { + path: '/callback', + thumbprint: 'C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB', + checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide + }, + function(profile, done) { + return done(null, profile); + }) +); + + var fakeUser = { id: '12345678', displayName: 'John Foo', @@ -155,6 +160,13 @@ module.exports.start = function(options, callback){ } ); + app.post('/callback/samlp-signedresponse-signedassertion', + passport.authenticate('samlp-signedresponse-signedassertion', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + var server = http.createServer(app).listen(5051, callback); module.exports.close = server.close.bind(server); }; diff --git a/test/interop.tests.js b/test/interop.tests.js index 150bb9e..efc3b6a 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -18,7 +18,6 @@ describe('saml 1.1 assertion', function () { realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { - assert.ok(profile); done(); }); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 66d323d..b63e2e1 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -195,6 +195,61 @@ describe('samlp', function () { }); }); + + describe('signed samlp response and assertion', function () { + var user, r, bod, $; + + // SAMLResponse comes from open.feide https://openidp.feide.no + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-signedresponse-signedassertion', + form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZjEzOGQyZTUzMWQ0NjI0ZmNhZmQ4OGJlYWNmN2VjMzkwMzRmMmEzNzRkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMy0wNy0wN1QxMTo1NToxOFoiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2YxMzhkMmU1MzFkNDYyNGZjYWZkODhiZWFjZjdlYzM5MDM0ZjJhMzc0ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+VXJHUURDSGF0eTRjNzZqTW5oWmZZb09qQ1RFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5uSGZLUDRzbXliTHQxRTdwNVZJMkttUnZtL3RYMEpVRVNGYUN6ejM4M1RDMWpTU2JaODZKSVJYSVdMRXl1WTJCOTJBNHdmdC8zaHhqV2ZBNTNWUFdsYS93UzBEcitRbzUxU2svTzZNek1tbXRXakx2WVZhTDhvQ3lZUFZHSDlyWXZ4cnlnVXFyVkZDZVZhS3U5Y1VwVWpPdXZTYzM1dUovOEJFZUZ1cTdBMm89PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2l6Q0NBZlFDQ1FDWTh0S2FNYzBCTWpBTkJna3Foa2lHOXcwQkFRVUZBRENCaVRFTE1Ba0dBMVVFQmhNQ1RrOHhFakFRQmdOVkJBZ1RDVlJ5YjI1a2FHVnBiVEVRTUE0R0ExVUVDaE1IVlU1SlRrVlVWREVPTUF3R0ExVUVDeE1GUm1WcFpHVXhHVEFYQmdOVkJBTVRFRzl3Wlc1cFpIQXVabVZwWkdVdWJtOHhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtRnVaSEpsWVhNdWMyOXNZbVZ5WjBCMWJtbHVaWFIwTG01dk1CNFhEVEE0TURVd09EQTVNakkwT0ZvWERUTTFNRGt5TXpBNU1qSTBPRm93Z1lreEN6QUpCZ05WQkFZVEFrNVBNUkl3RUFZRFZRUUlFd2xVY205dVpHaGxhVzB4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4RGpBTUJnTlZCQXNUQlVabGFXUmxNUmt3RndZRFZRUURFeEJ2Y0dWdWFXUndMbVpsYVdSbExtNXZNU2t3SndZSktvWklodmNOQVFrQkZocGhibVJ5WldGekxuTnZiR0psY21kQWRXNXBibVYwZEM1dWJ6Q0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUF0OGpMb3FJMVZUbHhBWjJheGlESVRoV2NBT1hkdThLa1ZVV2FOL1Nvb085TzBRUTdLUlVqU0dLTjlKSzY1QUZSRFhRa1dQQXU0SGxuTzRub1lsRlNMbll5RHhJNjZMQ3I3MXg0bGdGSmpxTGVBdkIvR3FCcUZmSVozWUsvTnJoblVxRndadTYzbkxyWmpjVVp4TmFQak9PU1JTRGFYcHYxa2I1azNqT2lTR0VDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQlFZajRjQWFmV2FZZmpCVTJ6aTFFbHdTdElhSjVueXAvcy84QjhTQVBLMlQ3OU1jTXljY1Azd1NXMTNMSGttTTFqd0tlM0FDRlhCdnFHUU4wSWJjSDQ5aHUwRktoWUZNL0dQREpjSUhGQnNpeU1CWENocHllOXZCYVRORUJDdFUzS2pqeUcwaFJUMm1BUTloK2JrUG1PdmxFby9hSDB4UjY4WjlodzRQRjEzdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEzLTA3LTA3VDExOjU1OjE4WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vb3BlbmlkcC5mZWlkZS5ubzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI19lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlZPWVNVQlZZSUNvTWJwbk5INEVCRHhBUWtKTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RW1rR1docVZvZ25vNWhja01UcG9ySHFwT0szVDZpZ2JRVXA2Zmkxc1pvcXFsd3cxSUtmc3REMW1LdzVjM21JcldyNjFnOTh4TFMxLzBnMW5hUWlpT0MzbDl6Y0g3QUFIOVdGWW5JejdGeUE4dmllKzBxTE1Dbno4cVVpZ21HWDNRbEdiQ1QzUHVUNDEzUWlZSm9DT2VXME5zYUpaWUNINUFOWnprSUJsdG9nPTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNpekNDQWZRQ0NRQ1k4dEthTWMwQk1qQU5CZ2txaGtpRzl3MEJBUVVGQURDQmlURUxNQWtHQTFVRUJoTUNUazh4RWpBUUJnTlZCQWdUQ1ZSeWIyNWthR1ZwYlRFUU1BNEdBMVVFQ2hNSFZVNUpUa1ZVVkRFT01Bd0dBMVVFQ3hNRlJtVnBaR1V4R1RBWEJnTlZCQU1URUc5d1pXNXBaSEF1Wm1WcFpHVXVibTh4S1RBbkJna3Foa2lHOXcwQkNRRVdHbUZ1WkhKbFlYTXVjMjlzWW1WeVowQjFibWx1WlhSMExtNXZNQjRYRFRBNE1EVXdPREE1TWpJME9Gb1hEVE0xTURreU16QTVNakkwT0Zvd2dZa3hDekFKQmdOVkJBWVRBazVQTVJJd0VBWURWUVFJRXdsVWNtOXVaR2hsYVcweEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReERqQU1CZ05WQkFzVEJVWmxhV1JsTVJrd0Z3WURWUVFERXhCdmNHVnVhV1J3TG1abGFXUmxMbTV2TVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBoYm1SeVpXRnpMbk52YkdKbGNtZEFkVzVwYm1WMGRDNXViekNCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBdDhqTG9xSTFWVGx4QVoyYXhpRElUaFdjQU9YZHU4S2tWVVdhTi9Tb29POU8wUVE3S1JValNHS045Sks2NUFGUkRYUWtXUEF1NEhsbk80bm9ZbEZTTG5ZeUR4STY2TENyNzF4NGxnRkpqcUxlQXZCL0dxQnFGZklaM1lLL05yaG5VcUZ3WnU2M25MclpqY1VaeE5hUGpPT1NSU0RhWHB2MWtiNWszak9pU0dFQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUJRWWo0Y0FhZldhWWZqQlUyemkxRWx3U3RJYUo1bnlwL3MvOEI4U0FQSzJUNzlNY015Y2NQM3dTVzEzTEhrbU0xandLZTNBQ0ZYQnZxR1FOMEliY0g0OWh1MEZLaFlGTS9HUERKY0lIRkJzaXlNQlhDaHB5ZTl2QmFUTkVCQ3RVM0tqanlHMGhSVDJtQVE5aCtia1BtT3ZsRW8vYUgweFI2OFo5aHc0UEYxM3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0idXJuOmF1dGgwOmxvZ2luLWRldjMiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fOTVkYThhZjQ4MjY4NmEwY2VjZDY0Y2I3Y2FmOGU4NzFiN2FjMTFkYWUxPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA3LTA3VDEyOjAwOjE4WiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDctMDdUMTE6NTQ6NDhaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTI6MDA6MThaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnVybjphdXRoMDpsb2dpbi1kZXYzPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wNy0wN1QxMToxMTo0MVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTk6NTU6MThaIiBTZXNzaW9uSW5kZXg9Il81ZDA2MDZhMGIxZmQ5Nzk4ZDJhMjg3MjE5M2UzOWE5MDdhM2MwYmE0MTUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJjbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPk1hdGlhcyBXb2xvc2tpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXRpYXN3QGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraUBybmQuZmVpZGUubm88L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uVGFyZ2V0ZWRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPjFiMTI0NmQ3MjgxOTdiYjQ3ZDA5MzQyYWE0ZjZjM2Y0N2Y0ZTkyYWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPldvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzIFdvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+bWF0aWFzd0BnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjYiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj53b2xvc2tpQHJuZC5mZWlkZS5ubzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xYjEyNDZkNzI4MTk3YmI0N2QwOTM0MmFhNGY2YzNmNDdmNGU5MmFlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should validate response and not signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + /* + { + uid: 'woloski', + givenName: 'Matias', + sn: 'Woloski', + cn: 'Matias Woloski', + mail: 'matiasw@gmail.com', + eduPersonPrincipalName: 'woloski@rnd.feide.no', + eduPersonTargetedID: '1b1246d728197bb47d09342aa4f6c3f47f4e92ae', + 'urn:oid:0.9.2342.19200300.100.1.1': 'woloski', + 'urn:oid:2.5.4.42': 'Matias', + 'urn:oid:2.5.4.4': 'Woloski', + 'urn:oid:2.5.4.3': 'Matias Woloski', + 'urn:oid:0.9.2342.19200300.100.1.3': 'matiasw@gmail.com', + 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6': 'woloski@rnd.feide.no', + 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10': '1b1246d728197bb47d09342aa4f6c3f47f4e92ae', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': '_95da8af482686a0cecd64cb7caf8e871b7ac11dae1', + issuer: 'https://openidp.feide.no' + } + */ + expect(user['uid']).to.equal('woloski'); + expect(user['givenName']).to.equal('Matias'); + expect(user['sn']).to.equal('Woloski'); + expect(user['cn']).to.equal('Matias Woloski'); + expect(user['uid']).to.equal('woloski'); + expect(user['urn:oid:0.9.2342.19200300.100.1.1']).to.equal('woloski'); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']).to.equal('_95da8af482686a0cecd64cb7caf8e871b7ac11dae1'); + }); + }); + }); function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { From bdfb6df230bfde83ed65e1cc6c06901a20120bf1 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 8 Jul 2013 11:24:05 -0300 Subject: [PATCH 033/203] bump to 0.6.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 158e8ee..c23bc7e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.5.0", + "version": "0.6.0", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha --reporter spec" From 4a873904b1973c45b4a5cbdef6a03d82a2397757 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 9 Jul 2013 08:58:38 -0300 Subject: [PATCH 034/203] more interop testing --- package.json | 2 +- test/fixture/samlp-server.js | 17 +++++++ test/interop.tests.js | 96 ++++++++++++++++++++++++++++++++++++ test/samlp.tests.js | 54 -------------------- 4 files changed, 114 insertions(+), 55 deletions(-) diff --git a/package.json b/package.json index c23bc7e..0ca5c06 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.6.0", + "version": "0.6.1", "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", "scripts": { "test": "mocha --reporter spec" diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 864e963..d020219 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -70,6 +70,16 @@ passport.use('samlp-signedresponse-signedassertion', new Strategy( }) ); +passport.use('samlp-ping', new Strategy( + { + path: '/callback', + thumbprint: '44340220770a348444be34970939cff8a2d74f08', + checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide + }, + function(profile, done) { + return done(null, profile); + }) +); var fakeUser = { id: '12345678', @@ -167,6 +177,13 @@ module.exports.start = function(options, callback){ } ); + app.post('/callback/samlp-ping', + passport.authenticate('samlp-ping', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + var server = http.createServer(app).listen(5051, callback); module.exports.close = server.close.bind(server); }; diff --git a/test/interop.tests.js b/test/interop.tests.js index efc3b6a..f4bbcc3 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -6,11 +6,24 @@ var assert = require('assert'), saml11 = require('saml').Saml11, SamlPassport = require('../lib/passport-wsfed-saml2/saml').SAML; +var request = require('request'); +var server = require('./fixture/samlp-server'); +var expect = require('chai').expect; + var Parser = require('xmldom').DOMParser, SignedXml = require('xml-crypto').SignedXml; describe('saml 1.1 assertion', function () { + before(function (done) { + server.start(done); + }); + + after(function (done) { + server.close(done); + }); + + it('should validate an assertion from office365', function (done) { var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; @@ -24,6 +37,89 @@ describe('saml 1.1 assertion', function () { }); + describe('signed samlp response and assertion from open feide', function () { + var user, r, bod, $; + + // SAMLResponse comes from open.feide https://openidp.feide.no + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-signedresponse-signedassertion', + form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZjEzOGQyZTUzMWQ0NjI0ZmNhZmQ4OGJlYWNmN2VjMzkwMzRmMmEzNzRkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMy0wNy0wN1QxMTo1NToxOFoiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2YxMzhkMmU1MzFkNDYyNGZjYWZkODhiZWFjZjdlYzM5MDM0ZjJhMzc0ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+VXJHUURDSGF0eTRjNzZqTW5oWmZZb09qQ1RFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5uSGZLUDRzbXliTHQxRTdwNVZJMkttUnZtL3RYMEpVRVNGYUN6ejM4M1RDMWpTU2JaODZKSVJYSVdMRXl1WTJCOTJBNHdmdC8zaHhqV2ZBNTNWUFdsYS93UzBEcitRbzUxU2svTzZNek1tbXRXakx2WVZhTDhvQ3lZUFZHSDlyWXZ4cnlnVXFyVkZDZVZhS3U5Y1VwVWpPdXZTYzM1dUovOEJFZUZ1cTdBMm89PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2l6Q0NBZlFDQ1FDWTh0S2FNYzBCTWpBTkJna3Foa2lHOXcwQkFRVUZBRENCaVRFTE1Ba0dBMVVFQmhNQ1RrOHhFakFRQmdOVkJBZ1RDVlJ5YjI1a2FHVnBiVEVRTUE0R0ExVUVDaE1IVlU1SlRrVlVWREVPTUF3R0ExVUVDeE1GUm1WcFpHVXhHVEFYQmdOVkJBTVRFRzl3Wlc1cFpIQXVabVZwWkdVdWJtOHhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtRnVaSEpsWVhNdWMyOXNZbVZ5WjBCMWJtbHVaWFIwTG01dk1CNFhEVEE0TURVd09EQTVNakkwT0ZvWERUTTFNRGt5TXpBNU1qSTBPRm93Z1lreEN6QUpCZ05WQkFZVEFrNVBNUkl3RUFZRFZRUUlFd2xVY205dVpHaGxhVzB4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4RGpBTUJnTlZCQXNUQlVabGFXUmxNUmt3RndZRFZRUURFeEJ2Y0dWdWFXUndMbVpsYVdSbExtNXZNU2t3SndZSktvWklodmNOQVFrQkZocGhibVJ5WldGekxuTnZiR0psY21kQWRXNXBibVYwZEM1dWJ6Q0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUF0OGpMb3FJMVZUbHhBWjJheGlESVRoV2NBT1hkdThLa1ZVV2FOL1Nvb085TzBRUTdLUlVqU0dLTjlKSzY1QUZSRFhRa1dQQXU0SGxuTzRub1lsRlNMbll5RHhJNjZMQ3I3MXg0bGdGSmpxTGVBdkIvR3FCcUZmSVozWUsvTnJoblVxRndadTYzbkxyWmpjVVp4TmFQak9PU1JTRGFYcHYxa2I1azNqT2lTR0VDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQlFZajRjQWFmV2FZZmpCVTJ6aTFFbHdTdElhSjVueXAvcy84QjhTQVBLMlQ3OU1jTXljY1Azd1NXMTNMSGttTTFqd0tlM0FDRlhCdnFHUU4wSWJjSDQ5aHUwRktoWUZNL0dQREpjSUhGQnNpeU1CWENocHllOXZCYVRORUJDdFUzS2pqeUcwaFJUMm1BUTloK2JrUG1PdmxFby9hSDB4UjY4WjlodzRQRjEzdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEzLTA3LTA3VDExOjU1OjE4WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vb3BlbmlkcC5mZWlkZS5ubzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI19lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlZPWVNVQlZZSUNvTWJwbk5INEVCRHhBUWtKTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RW1rR1docVZvZ25vNWhja01UcG9ySHFwT0szVDZpZ2JRVXA2Zmkxc1pvcXFsd3cxSUtmc3REMW1LdzVjM21JcldyNjFnOTh4TFMxLzBnMW5hUWlpT0MzbDl6Y0g3QUFIOVdGWW5JejdGeUE4dmllKzBxTE1Dbno4cVVpZ21HWDNRbEdiQ1QzUHVUNDEzUWlZSm9DT2VXME5zYUpaWUNINUFOWnprSUJsdG9nPTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNpekNDQWZRQ0NRQ1k4dEthTWMwQk1qQU5CZ2txaGtpRzl3MEJBUVVGQURDQmlURUxNQWtHQTFVRUJoTUNUazh4RWpBUUJnTlZCQWdUQ1ZSeWIyNWthR1ZwYlRFUU1BNEdBMVVFQ2hNSFZVNUpUa1ZVVkRFT01Bd0dBMVVFQ3hNRlJtVnBaR1V4R1RBWEJnTlZCQU1URUc5d1pXNXBaSEF1Wm1WcFpHVXVibTh4S1RBbkJna3Foa2lHOXcwQkNRRVdHbUZ1WkhKbFlYTXVjMjlzWW1WeVowQjFibWx1WlhSMExtNXZNQjRYRFRBNE1EVXdPREE1TWpJME9Gb1hEVE0xTURreU16QTVNakkwT0Zvd2dZa3hDekFKQmdOVkJBWVRBazVQTVJJd0VBWURWUVFJRXdsVWNtOXVaR2hsYVcweEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReERqQU1CZ05WQkFzVEJVWmxhV1JsTVJrd0Z3WURWUVFERXhCdmNHVnVhV1J3TG1abGFXUmxMbTV2TVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBoYm1SeVpXRnpMbk52YkdKbGNtZEFkVzVwYm1WMGRDNXViekNCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBdDhqTG9xSTFWVGx4QVoyYXhpRElUaFdjQU9YZHU4S2tWVVdhTi9Tb29POU8wUVE3S1JValNHS045Sks2NUFGUkRYUWtXUEF1NEhsbk80bm9ZbEZTTG5ZeUR4STY2TENyNzF4NGxnRkpqcUxlQXZCL0dxQnFGZklaM1lLL05yaG5VcUZ3WnU2M25MclpqY1VaeE5hUGpPT1NSU0RhWHB2MWtiNWszak9pU0dFQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUJRWWo0Y0FhZldhWWZqQlUyemkxRWx3U3RJYUo1bnlwL3MvOEI4U0FQSzJUNzlNY015Y2NQM3dTVzEzTEhrbU0xandLZTNBQ0ZYQnZxR1FOMEliY0g0OWh1MEZLaFlGTS9HUERKY0lIRkJzaXlNQlhDaHB5ZTl2QmFUTkVCQ3RVM0tqanlHMGhSVDJtQVE5aCtia1BtT3ZsRW8vYUgweFI2OFo5aHc0UEYxM3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0idXJuOmF1dGgwOmxvZ2luLWRldjMiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fOTVkYThhZjQ4MjY4NmEwY2VjZDY0Y2I3Y2FmOGU4NzFiN2FjMTFkYWUxPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA3LTA3VDEyOjAwOjE4WiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDctMDdUMTE6NTQ6NDhaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTI6MDA6MThaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnVybjphdXRoMDpsb2dpbi1kZXYzPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wNy0wN1QxMToxMTo0MVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTk6NTU6MThaIiBTZXNzaW9uSW5kZXg9Il81ZDA2MDZhMGIxZmQ5Nzk4ZDJhMjg3MjE5M2UzOWE5MDdhM2MwYmE0MTUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJjbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPk1hdGlhcyBXb2xvc2tpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXRpYXN3QGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraUBybmQuZmVpZGUubm88L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uVGFyZ2V0ZWRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPjFiMTI0NmQ3MjgxOTdiYjQ3ZDA5MzQyYWE0ZjZjM2Y0N2Y0ZTkyYWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPldvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzIFdvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+bWF0aWFzd0BnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjYiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj53b2xvc2tpQHJuZC5mZWlkZS5ubzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xYjEyNDZkNzI4MTk3YmI0N2QwOTM0MmFhNGY2YzNmNDdmNGU5MmFlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should validate response and not signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + /* + { + uid: 'woloski', + givenName: 'Matias', + sn: 'Woloski', + cn: 'Matias Woloski', + mail: 'matiasw@gmail.com', + eduPersonPrincipalName: 'woloski@rnd.feide.no', + eduPersonTargetedID: '1b1246d728197bb47d09342aa4f6c3f47f4e92ae', + 'urn:oid:0.9.2342.19200300.100.1.1': 'woloski', + 'urn:oid:2.5.4.42': 'Matias', + 'urn:oid:2.5.4.4': 'Woloski', + 'urn:oid:2.5.4.3': 'Matias Woloski', + 'urn:oid:0.9.2342.19200300.100.1.3': 'matiasw@gmail.com', + 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6': 'woloski@rnd.feide.no', + 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10': '1b1246d728197bb47d09342aa4f6c3f47f4e92ae', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': '_95da8af482686a0cecd64cb7caf8e871b7ac11dae1', + issuer: 'https://openidp.feide.no' + } + */ + expect(user['uid']).to.equal('woloski'); + expect(user['givenName']).to.equal('Matias'); + expect(user['sn']).to.equal('Woloski'); + expect(user['cn']).to.equal('Matias Woloski'); + expect(user['uid']).to.equal('woloski'); + expect(user['urn:oid:0.9.2342.19200300.100.1.1']).to.equal('woloski'); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']).to.equal('_95da8af482686a0cecd64cb7caf8e871b7ac11dae1'); + }); + }); + + describe('signed assertion from ping', function () { + var r, bod; + + // SAMLResponse comes from Ping + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-ping', + form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iXzRhNDMyMzEzNmNhMGFkNDU3OGNiIiBJc3N1ZUluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIxWiIgSUQ9IklEMzBlNjM2OTcyYzgxYmNkN2E1MzBkMWJkNjc4MmM4YmNiZTU2Y2U4NjEwZDM0ZDJjMDIiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPlBpbmdDb25uZWN0PC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIxWiIgSUQ9IklENzc1MzVlNjc2YjM0ZDQyNzAzMWM3NTM5ODk2Nzg5YzE5NTM4ZTdlNmRmNTY5YWQ4MDIiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sOklzc3Vlcj5QaW5nQ29ubmVjdDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CjxkczpTaWduZWRJbmZvPgo8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CjxkczpSZWZlcmVuY2UgVVJJPSIjSUQ3NzUzNWU2NzZiMzRkNDI3MDMxYzc1Mzk4OTY3ODljMTk1MzhlN2U2ZGY1NjlhZDgwMiI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+elRZdENWTVpBUDJYZGFJRDM3VlMyZ1MrTEwwPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KUUNaRGtMMXRzZzFISDNtQVd3UDJzYWlRVFNldTBsTTdmdXNCQmlsL3RDdGpkU2xlZXgra1JETFpvY2p1SytVcDEvN0poS0NOVVE2SApOcVd0cWZHVVJpcUpaKzI5UVoxdzZibU93YXVzZzFiUkJGb0VtUkd0cER4dTBwNHNXemlOdzJ0eU81b1ZWSDYwaEFmZllHTjcweUg0CkUxd2t1emVhRVhOWFhGaEFKeHNOVGo1SkdEZmNld1U5UjQvVW1yTlVYWTdrdkJRV3BRcmI1VE5TNjNrL0hhaEdsN3pPNzJla1FVK04KU0FUU0Eyb2hJU09obVBTbUVyQVVaQkI2Z0FSQ2srT2xWRld0VS9NUnFFMlo5UWFXNndkYlBnVkg0d2JYbnA4YkcxdTQ0VHk5bUFDWApiKzhXT0F3NHBYTkxXYzVZK2dKaVFyaUdyb3p6b0pQaDVGL3FDZz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUZ4akNDQks2Z0F3SUJBZ0lRYXFiblNYTklDQWRmVFo4Sm9pcU9VakFOQmdrcWhraUc5dzBCQVFVRkFEQmlNUXN3Q1FZRFZRUUcKRXdKVlV6RWhNQjhHQTFVRUNoTVlUbVYwZDI5eWF5QlRiMngxZEdsdmJuTWdUQzVNTGtNdU1UQXdMZ1lEVlFRREV5ZE9aWFIzYjNKcgpJRk52YkhWMGFXOXVjeUJEWlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrd0hoY05NVEl3TXpBeU1EQXdNREF3V2hjTk1UUXdPREk0Ck1qTTFPVFU1V2pDQnp6RUxNQWtHQTFVRUJoTUNWVk14RGpBTUJnTlZCQkVUQlRnd01qQXlNUXN3Q1FZRFZRUUlFd0pEVHpFUE1BMEcKQTFVRUJ4TUdSR1Z1ZG1WeU1SSXdFQVlEVlFRSkV3bFRkV2wwWlNBeE1EQXhHVEFYQmdOVkJBa1RFREV3TURFZ01UZDBhQ0JUZEhKbApaWFF4SWpBZ0JnTlZCQW9UR1ZCcGJtY2dTV1JsYm5ScGRIa2dRMjl5Y0c5eVlYUnBiMjR4R0RBV0JnTlZCQXNURDFObFkzVnlaU0JNCmFXNXJJRk5UVERFbE1DTUdBMVVFQXhNY2MzTnZMbU52Ym01bFkzUXVjR2x1WjJsa1pXNTBhWFI1TG1OdmJUQ0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKZjF1UnZkSTJIdHJtNFNLUTZJd0xtSk9MeXJZdDNvdlJHaUJjejVoLzdmM3BqQwp4UjNYaml1dlVzZjR3T0pVWDAwRzNhcXpvK1o3VGVIRkJPOXA1UnBPWlFwK01tRDFGWko4ZlNUQVZjTDhUZHZKRjFKWUNaZEt3bCtMCk1MS0ZtWnZRMFljR0NOcEVmL1NRRlI1VlJUZzNmekV3eWdMMklsRFpYbXJ6RklBTk04R0JGUFNrZ3JoZitad3lsNnY1TVo2VEhQemUKSlpzMkZnek05MjVkZUNhZDUwMWZJOWtsdnRyRVN6NCtrZUxITEN3TFU2dCtKYW5vMzJneHZLYzNLZ2VyWlJkZ2pEcGI1MVpjRE10WQo4dTZBMXVVUGpnSmdPTHkvVFd5NUpXaE4vQmlwQkNGWEFXRTZCRDdKb3lmUEJTTjlRaE51cWR2WHM3NVhyRmxmNUk4Q0F3RUFBYU9DCkFnZ3dnZ0lFTUI4R0ExVWRJd1FZTUJhQUZEeEI0bzhJQ0tsTUpZbU5iY1U0MFB5RmpHSVhNQjBHQTFVZERnUVdCQlRRdHNIWU0wU0UKK0JwUGdUcUFudDhtb05CeHp6QU9CZ05WSFE4QkFmOEVCQU1DQmFBd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhTVUVGakFVQmdncgpCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdhd1lEVlIwZ0JHUXdZakJnQmd3ckJnRUVBWVlPQVFJQkF3RXdVREJPQmdnckJnRUZCUWNDCkFSWkNhSFIwY0RvdkwzZDNkeTV1WlhSM2IzSnJjMjlzZFhScGIyNXpMbU52YlM5c1pXZGhiQzlUVTB3dGJHVm5ZV3d0Y21Wd2IzTnAKZEc5eWVTMWpjSE11YW5Od01Ib0dBMVVkSHdSek1IRXdOcUEwb0RLR01HaDBkSEE2THk5amNtd3VibVYwYzI5c2MzTnNMbU52YlM5TwpaWFIzYjNKclUyOXNkWFJwYjI1elgwTkJMbU55YkRBM29EV2dNNFl4YUhSMGNEb3ZMMk55YkRJdWJtVjBjMjlzYzNOc0xtTnZiUzlPClpYUjNiM0pyVTI5c2RYUnBiMjV6WDBOQkxtTnliREJ6QmdnckJnRUZCUWNCQVFSbk1HVXdQQVlJS3dZQkJRVUhNQUtHTUdoMGRIQTYKTHk5M2QzY3VibVYwYzI5c2MzTnNMbU52YlM5T1pYUjNiM0pyVTI5c2RYUnBiMjV6WDBOQkxtTnlkREFsQmdnckJnRUZCUWN3QVlZWgphSFIwY0RvdkwyOWpjM0F1Ym1WMGMyOXNjM05zTG1OdmJUQW5CZ05WSFJFRUlEQWVnaHh6YzI4dVkyOXVibVZqZEM1d2FXNW5hV1JsCmJuUnBkSGt1WTI5dE1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQ0h1elNEaHg0Ukd5N1JiQ0FJMG1maWR2bXR6ZmFMVm9LaUIzVFoKSlVmNmpreXF5NmN3bjA5bjQxdW1kdUpZRHU4K2p2ODFKZUxXdGpabWxYZmhzb3ZhQlRJRVd4aUkxTlFLNlY5Rjk3ZDM3bHF5c3ZJbQprSUliaFVKaEJvSW5ZUldLM1dxYXd6V295Vjh2eFAxaDdNam81c1BOZ3FmTnNVVm5iOVBJODA0bFg3UEZZSHJxS0tudXJxb09kTHJvCnpGU2pBeUU0NElFNWdHWWVqN05SbE5EY1VRcEZ3Yjd6MkJqTVJtQ3RReTA2VlRjSFVlZDdNcWc5WHNNVHA4WXlDbW9uWkFlTGpXYTkKZnFDcVFJZzZvT3BTNzhKeXN4bGVFM3YvUWtYd0tmdGwzZGFiT2dwL1hDMzF6VW1MRDhqTzZLYmRpTzhrQ1B1TFFIUEl2c0ZvYXRDSQo8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KPC9kczpYNTA5RGF0YT4KPGRzOktleVZhbHVlPgo8ZHM6UlNBS2V5VmFsdWU+CjxkczpNb2R1bHVzPgpsL1c1RzkwalllMnViaElwRG9qQXVZazR2S3RpM2VpOUVhSUZ6UG1IL3QvZW1NTEZIZGVPSzY5U3gvakE0bFJmVFFiZHFyT2o1bnROCjRjVUU3Mm5sR2s1bENuNHlZUFVWa254OUpNQlZ3dnhOMjhrWFVsZ0psMHJDWDRzd3NvV1ptOURSaHdZSTJrUi85SkFWSGxWRk9EZC8KTVRES0F2WWlVTmxlYXZNVWdBMHp3WUVVOUtTQ3VGLzVuREtYcS9reG5wTWMvTjRsbXpZV0RNejNibDE0SnAzblRWOGoyU1crMnNSTApQajZSNHNjc0xBdFRxMzRscWVqZmFERzhwemNxQjZ0bEYyQ01PbHZuVmx3TXkxank3b0RXNVErT0FtQTR2TDlOYkxrbGFFMzhHS2tFCklWY0JZVG9FUHNtako4OEZJMzFDRTI2cDI5ZXp2bGVzV1Yva2p3PT0KPC9kczpNb2R1bHVzPgo8ZHM6RXhwb25lbnQ+QVFBQjwvZHM6RXhwb25lbnQ+CjwvZHM6UlNBS2V5VmFsdWU+CjwvZHM6S2V5VmFsdWU+CjwvZHM6S2V5SW5mbz4KPC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnRlc3R1c2VyMUB0ZXN0aWRwLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzRhNDMyMzEzNmNhMGFkNDU3OGNiIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDhUMjA6MTA6MjUuNTIxWiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxMy0wNy0wOFQyMDoxMDoyNS41MjFaIiBOb3RCZWZvcmU9IjIwMTMtMDctMDhUMTk6MzA6MjUuNTIxWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT51cm46YXV0aDA6bG9naW4tZGV2Mzwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIyWiIgU2Vzc2lvbkluZGV4PSJsTGJTYlhpZmFPREx3T2hCZ1AyZk5PdVc5RmoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48c2FtbDpBdXRoZW50aWNhdGluZ0F1dGhvcml0eT50ZXN0aWRwLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbTwvc2FtbDpBdXRoZW50aWNhdGluZ0F1dGhvcml0eT48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iUGluZ09uZS5pZHBpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+YjE0ZWIwYjYtYTMzYS00MTRkLTljNzctMDEzMWUzMjRhNWI3PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9Im5hbWVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+dGVzdF9uYW1laWQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iUGluZ09uZS5BdXRoZW50aWNhdGluZ0F1dGhvcml0eSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+dGVzdGlkcC5jb25uZWN0LnBpbmdpZGVudGl0eS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should validate response and not signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']).to.equal('testuser1@testidp.connect.pingidentity.com'); + }); + }); + + // it('should validate a saml response from datapower', function (done) { // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; // //var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage'; diff --git a/test/samlp.tests.js b/test/samlp.tests.js index b63e2e1..e5515cf 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -196,60 +196,6 @@ describe('samlp', function () { }); - describe('signed samlp response and assertion', function () { - var user, r, bod, $; - - // SAMLResponse comes from open.feide https://openidp.feide.no - before(function (done) { - request.post({ - jar: request.jar(), - uri: 'http://localhost:5051/callback/samlp-signedresponse-signedassertion', - form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZjEzOGQyZTUzMWQ0NjI0ZmNhZmQ4OGJlYWNmN2VjMzkwMzRmMmEzNzRkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMy0wNy0wN1QxMTo1NToxOFoiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2YxMzhkMmU1MzFkNDYyNGZjYWZkODhiZWFjZjdlYzM5MDM0ZjJhMzc0ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+VXJHUURDSGF0eTRjNzZqTW5oWmZZb09qQ1RFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5uSGZLUDRzbXliTHQxRTdwNVZJMkttUnZtL3RYMEpVRVNGYUN6ejM4M1RDMWpTU2JaODZKSVJYSVdMRXl1WTJCOTJBNHdmdC8zaHhqV2ZBNTNWUFdsYS93UzBEcitRbzUxU2svTzZNek1tbXRXakx2WVZhTDhvQ3lZUFZHSDlyWXZ4cnlnVXFyVkZDZVZhS3U5Y1VwVWpPdXZTYzM1dUovOEJFZUZ1cTdBMm89PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2l6Q0NBZlFDQ1FDWTh0S2FNYzBCTWpBTkJna3Foa2lHOXcwQkFRVUZBRENCaVRFTE1Ba0dBMVVFQmhNQ1RrOHhFakFRQmdOVkJBZ1RDVlJ5YjI1a2FHVnBiVEVRTUE0R0ExVUVDaE1IVlU1SlRrVlVWREVPTUF3R0ExVUVDeE1GUm1WcFpHVXhHVEFYQmdOVkJBTVRFRzl3Wlc1cFpIQXVabVZwWkdVdWJtOHhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtRnVaSEpsWVhNdWMyOXNZbVZ5WjBCMWJtbHVaWFIwTG01dk1CNFhEVEE0TURVd09EQTVNakkwT0ZvWERUTTFNRGt5TXpBNU1qSTBPRm93Z1lreEN6QUpCZ05WQkFZVEFrNVBNUkl3RUFZRFZRUUlFd2xVY205dVpHaGxhVzB4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4RGpBTUJnTlZCQXNUQlVabGFXUmxNUmt3RndZRFZRUURFeEJ2Y0dWdWFXUndMbVpsYVdSbExtNXZNU2t3SndZSktvWklodmNOQVFrQkZocGhibVJ5WldGekxuTnZiR0psY21kQWRXNXBibVYwZEM1dWJ6Q0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUF0OGpMb3FJMVZUbHhBWjJheGlESVRoV2NBT1hkdThLa1ZVV2FOL1Nvb085TzBRUTdLUlVqU0dLTjlKSzY1QUZSRFhRa1dQQXU0SGxuTzRub1lsRlNMbll5RHhJNjZMQ3I3MXg0bGdGSmpxTGVBdkIvR3FCcUZmSVozWUsvTnJoblVxRndadTYzbkxyWmpjVVp4TmFQak9PU1JTRGFYcHYxa2I1azNqT2lTR0VDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQlFZajRjQWFmV2FZZmpCVTJ6aTFFbHdTdElhSjVueXAvcy84QjhTQVBLMlQ3OU1jTXljY1Azd1NXMTNMSGttTTFqd0tlM0FDRlhCdnFHUU4wSWJjSDQ5aHUwRktoWUZNL0dQREpjSUhGQnNpeU1CWENocHllOXZCYVRORUJDdFUzS2pqeUcwaFJUMm1BUTloK2JrUG1PdmxFby9hSDB4UjY4WjlodzRQRjEzdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEzLTA3LTA3VDExOjU1OjE4WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vb3BlbmlkcC5mZWlkZS5ubzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI19lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlZPWVNVQlZZSUNvTWJwbk5INEVCRHhBUWtKTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RW1rR1docVZvZ25vNWhja01UcG9ySHFwT0szVDZpZ2JRVXA2Zmkxc1pvcXFsd3cxSUtmc3REMW1LdzVjM21JcldyNjFnOTh4TFMxLzBnMW5hUWlpT0MzbDl6Y0g3QUFIOVdGWW5JejdGeUE4dmllKzBxTE1Dbno4cVVpZ21HWDNRbEdiQ1QzUHVUNDEzUWlZSm9DT2VXME5zYUpaWUNINUFOWnprSUJsdG9nPTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNpekNDQWZRQ0NRQ1k4dEthTWMwQk1qQU5CZ2txaGtpRzl3MEJBUVVGQURDQmlURUxNQWtHQTFVRUJoTUNUazh4RWpBUUJnTlZCQWdUQ1ZSeWIyNWthR1ZwYlRFUU1BNEdBMVVFQ2hNSFZVNUpUa1ZVVkRFT01Bd0dBMVVFQ3hNRlJtVnBaR1V4R1RBWEJnTlZCQU1URUc5d1pXNXBaSEF1Wm1WcFpHVXVibTh4S1RBbkJna3Foa2lHOXcwQkNRRVdHbUZ1WkhKbFlYTXVjMjlzWW1WeVowQjFibWx1WlhSMExtNXZNQjRYRFRBNE1EVXdPREE1TWpJME9Gb1hEVE0xTURreU16QTVNakkwT0Zvd2dZa3hDekFKQmdOVkJBWVRBazVQTVJJd0VBWURWUVFJRXdsVWNtOXVaR2hsYVcweEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReERqQU1CZ05WQkFzVEJVWmxhV1JsTVJrd0Z3WURWUVFERXhCdmNHVnVhV1J3TG1abGFXUmxMbTV2TVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBoYm1SeVpXRnpMbk52YkdKbGNtZEFkVzVwYm1WMGRDNXViekNCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBdDhqTG9xSTFWVGx4QVoyYXhpRElUaFdjQU9YZHU4S2tWVVdhTi9Tb29POU8wUVE3S1JValNHS045Sks2NUFGUkRYUWtXUEF1NEhsbk80bm9ZbEZTTG5ZeUR4STY2TENyNzF4NGxnRkpqcUxlQXZCL0dxQnFGZklaM1lLL05yaG5VcUZ3WnU2M25MclpqY1VaeE5hUGpPT1NSU0RhWHB2MWtiNWszak9pU0dFQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUJRWWo0Y0FhZldhWWZqQlUyemkxRWx3U3RJYUo1bnlwL3MvOEI4U0FQSzJUNzlNY015Y2NQM3dTVzEzTEhrbU0xandLZTNBQ0ZYQnZxR1FOMEliY0g0OWh1MEZLaFlGTS9HUERKY0lIRkJzaXlNQlhDaHB5ZTl2QmFUTkVCQ3RVM0tqanlHMGhSVDJtQVE5aCtia1BtT3ZsRW8vYUgweFI2OFo5aHc0UEYxM3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0idXJuOmF1dGgwOmxvZ2luLWRldjMiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fOTVkYThhZjQ4MjY4NmEwY2VjZDY0Y2I3Y2FmOGU4NzFiN2FjMTFkYWUxPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA3LTA3VDEyOjAwOjE4WiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDctMDdUMTE6NTQ6NDhaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTI6MDA6MThaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnVybjphdXRoMDpsb2dpbi1kZXYzPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wNy0wN1QxMToxMTo0MVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTk6NTU6MThaIiBTZXNzaW9uSW5kZXg9Il81ZDA2MDZhMGIxZmQ5Nzk4ZDJhMjg3MjE5M2UzOWE5MDdhM2MwYmE0MTUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJjbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPk1hdGlhcyBXb2xvc2tpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXRpYXN3QGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraUBybmQuZmVpZGUubm88L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uVGFyZ2V0ZWRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPjFiMTI0NmQ3MjgxOTdiYjQ3ZDA5MzQyYWE0ZjZjM2Y0N2Y0ZTkyYWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPldvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzIFdvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+bWF0aWFzd0BnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjYiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj53b2xvc2tpQHJuZC5mZWlkZS5ubzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xYjEyNDZkNzI4MTk3YmI0N2QwOTM0MmFhNGY2YzNmNDdmNGU5MmFlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+' } - }, function(err, response, body) { - if(err) return done(err); - r = response; - bod = body; - done(); - }); - }); - - it('should validate response and not signature', function(){ - expect(r.statusCode) - .to.equal(200); - }); - - it('should return a valid user', function(){ - var user = JSON.parse(bod); - /* - { - uid: 'woloski', - givenName: 'Matias', - sn: 'Woloski', - cn: 'Matias Woloski', - mail: 'matiasw@gmail.com', - eduPersonPrincipalName: 'woloski@rnd.feide.no', - eduPersonTargetedID: '1b1246d728197bb47d09342aa4f6c3f47f4e92ae', - 'urn:oid:0.9.2342.19200300.100.1.1': 'woloski', - 'urn:oid:2.5.4.42': 'Matias', - 'urn:oid:2.5.4.4': 'Woloski', - 'urn:oid:2.5.4.3': 'Matias Woloski', - 'urn:oid:0.9.2342.19200300.100.1.3': 'matiasw@gmail.com', - 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6': 'woloski@rnd.feide.no', - 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10': '1b1246d728197bb47d09342aa4f6c3f47f4e92ae', - 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': '_95da8af482686a0cecd64cb7caf8e871b7ac11dae1', - issuer: 'https://openidp.feide.no' - } - */ - expect(user['uid']).to.equal('woloski'); - expect(user['givenName']).to.equal('Matias'); - expect(user['sn']).to.equal('Woloski'); - expect(user['cn']).to.equal('Matias Woloski'); - expect(user['uid']).to.equal('woloski'); - expect(user['urn:oid:0.9.2342.19200300.100.1.1']).to.equal('woloski'); - expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']).to.equal('_95da8af482686a0cecd64cb7caf8e871b7ac11dae1'); - }); - }); - }); function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { From fde5aea41100ba639740f12067c1540b3a29238c Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Wed, 7 Aug 2013 16:41:32 -0300 Subject: [PATCH 035/203] change the assertion is parsed to use DOM instead of xml2js check expiration and audience by default true update to latest xml-crypto that supports inclusivenamespaces --- lib/passport-wsfed-saml2/saml.js | 173 +++++++++++++++---------------- package.json | 3 +- test/fixture/samlp-server.js | 25 ++++- test/interop.tests.js | 50 ++++++++- test/saml20.tests.js | 74 ++++++++++--- test/samlp.tests.js | 3 + 6 files changed, 216 insertions(+), 112 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 6f599ae..0eef307 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -5,6 +5,7 @@ var xmlCrypto = require('xml-crypto'); var crypto = require('crypto'); var xmldom = require('xmldom'); var xpath = require('xpath'); +var cryptiles = require('cryptiles'); var SAML = function (options) { this.options = options; @@ -12,6 +13,9 @@ var SAML = function (options) { if (!options.cert && !options.thumbprint) { throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate'); } + + this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true; + this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; }; SAML.prototype.certToPEM = function (cert) { @@ -73,12 +77,14 @@ SAML.prototype.validateSignature = function (xml, options, callback) { }; SAML.prototype.validateExpiration = function (samlAssertion, version) { - var notBefore = new Date(version === '2.0' ? samlAssertion.Conditions['@'].NotBefore : samlAssertion['saml:Conditions']['@'].NotBefore); + var conditions = xpath.select("//*[local-name(.)='Conditions']", samlAssertion); + if (!conditions || conditions.length === 0) return false; + + var notBefore = new Date(conditions[0].getAttribute('NotBefore')); notBefore = notBefore.setMinutes(notBefore.getMinutes() - 10); // 10 minutes clock skew - var notOnOrAfter = new Date(version === '2.0' ? samlAssertion.Conditions['@'].NotOnOrAfter : samlAssertion['saml:Conditions']['@'].NotOnOrAfter); + var notOnOrAfter = new Date(conditions[0].getAttribute('NotOnOrAfter')); notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 10); // 10 minutes clock skew - var now = new Date(); if (now < notBefore || now > notOnOrAfter) @@ -88,79 +94,69 @@ SAML.prototype.validateExpiration = function (samlAssertion, version) { }; SAML.prototype.validateAudience = function (samlAssertion, realm, version) { - var audience = version === '2.0' ? samlAssertion.Conditions.AudienceRestriction.Audience : samlAssertion['saml:Conditions']['saml:AudienceRestrictionCondition']['saml:Audience']; - return audience === realm; + var audience; + if (version === '2.0') { + audience = xpath.select("//*[local-name(.)='Conditions']/*[local-name(.)='AudienceRestriction']/*[local-name(.)='Audience']", samlAssertion); + } else { + audience = xpath.select("//*[local-name(.)='Conditions']/*[local-name(.)='AudienceRestrictionCondition']/*[local-name(.)='Audience']", samlAssertion); + } + + if (!audience || audience.length === 0) return false; + return cryptiles.fixedTimeComparison(audience[0].textContent, realm); }; SAML.prototype.parseAttributes = function (samlAssertion, version) { function getAttributes(samlAssertion) { - if (samlAssertion['saml:AttributeStatement']) { - return samlAssertion['saml:AttributeStatement']['saml:Attribute']; - } else if (samlAssertion.AttributeStatement) { - return samlAssertion.AttributeStatement.Attribute; - } else { - return null; - } + var attributes = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Attribute']", samlAssertion); + return attributes; } function getNameID20(samlAssertion) { - if (samlAssertion['saml:Subject']) { - return samlAssertion['saml:Subject']['saml:NameID']; - } else if (samlAssertion.Subject) { - return samlAssertion.Subject.NameID; - } else { - return null; - } + var nameId = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='NameID']", samlAssertion); + if (nameId.length === 0) return; + return nameId[0].textContent; } function getNameID11(samlAssertion) { - if (samlAssertion['saml:AttributeStatement']) { - return samlAssertion['saml:AttributeStatement']['saml:Subject']['saml:NameIdentifier']; - } else if (samlAssertion.AttributeStatement) { - return samlAssertion.AttributeStatement.Subject.NameIdentifier; - } else { - return null; - } + var nameId = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); + if (nameId.length === 0) return; + return nameId[0].textContent; } - function getAttributeValue20(attribute) { - if (attribute['saml:AttributeValue']) { - return (typeof attribute['saml:AttributeValue']) === "string" ? attribute['saml:AttributeValue'] : attribute['saml:AttributeValue']['#']; - } else if (attribute.AttributeValue) { - return (typeof attribute.AttributeValue) === "string" ? attribute.AttributeValue : attribute.AttributeValue['#']; - } else { - return null; + function getAttributeValues(attribute) { + if (!attribute || attribute.childNodes.length === 0) return; + var attributeValues = []; + for (var i = 0; i 0) issuer = issuerNode[0].textContent; + } else { + issuer = samlAssertion.getAttribute('Issuer'); + } - profile.issuer = issuer; + profile.issuer = issuer; - if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { - profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; - } + if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { + profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; + } - callback(null, profile); - }); + callback(null, profile); }; exports.SAML = SAML; diff --git a/package.json b/package.json index 0ca5c06..fa670ee 100644 --- a/package.json +++ b/package.json @@ -25,7 +25,8 @@ "xmldom": "~0.1.15", "xtend": "~2.0.3", "ejs": "~0.8.3", - "xpath": "0.0.5" + "xpath": "0.0.5", + "cryptiles": "~0.2.2" }, "devDependencies": { "chai": "~1.5.0", diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index d020219..06bd434 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -14,7 +14,7 @@ var relayState = 'somestate'; passport.use('samlp', new Strategy( { path: '/callback', - realm: 'urn:fixture-test', + realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' }, @@ -26,7 +26,7 @@ passport.use('samlp', new Strategy( passport.use('samlp-signedresponse', new Strategy( { path: '/callback', - realm: 'urn:fixture-test', + realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' }, @@ -62,6 +62,7 @@ passport.use('samlp-invalidcert', new Strategy( passport.use('samlp-signedresponse-signedassertion', new Strategy( { path: '/callback', + realm: 'urn:auth0:login-dev3', thumbprint: 'C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, @@ -73,6 +74,7 @@ passport.use('samlp-signedresponse-signedassertion', new Strategy( passport.use('samlp-ping', new Strategy( { path: '/callback', + realm: 'urn:auth0:login-dev3', thumbprint: '44340220770a348444be34970939cff8a2d74f08', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, @@ -81,6 +83,18 @@ passport.use('samlp-ping', new Strategy( }) ); +passport.use('samlp-okta', new Strategy( + { + path: '/callback', + realm: 'https://auth0145.auth0.com', + thumbprint: 'a0c7dbb790e3476d3c5dd236f9f2060b1fd6e253', + checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide + }, + function(profile, done) { + return done(null, profile); + }) +); + var fakeUser = { id: '12345678', displayName: 'John Foo', @@ -184,6 +198,13 @@ module.exports.start = function(options, callback){ } ); + app.post('/callback/samlp-okta', + passport.authenticate('samlp-okta', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + var server = http.createServer(app).listen(5051, callback); module.exports.close = server.close.bind(server); }; diff --git a/test/interop.tests.js b/test/interop.tests.js index f4bbcc3..3ebbb02 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -13,7 +13,7 @@ var expect = require('chai').expect; var Parser = require('xmldom').DOMParser, SignedXml = require('xml-crypto').SignedXml; -describe('saml 1.1 assertion', function () { +describe('interop', function () { before(function (done) { server.start(done); @@ -30,7 +30,8 @@ describe('saml 1.1 assertion', function () { var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0', realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', checkExpiration: false}); // dont check expiration since we are harcoding the token - var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + if (err) return done(err); assert.ok(profile); done(); }); @@ -48,6 +49,7 @@ describe('saml 1.1 assertion', function () { form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZjEzOGQyZTUzMWQ0NjI0ZmNhZmQ4OGJlYWNmN2VjMzkwMzRmMmEzNzRkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMy0wNy0wN1QxMTo1NToxOFoiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2YxMzhkMmU1MzFkNDYyNGZjYWZkODhiZWFjZjdlYzM5MDM0ZjJhMzc0ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+VXJHUURDSGF0eTRjNzZqTW5oWmZZb09qQ1RFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5uSGZLUDRzbXliTHQxRTdwNVZJMkttUnZtL3RYMEpVRVNGYUN6ejM4M1RDMWpTU2JaODZKSVJYSVdMRXl1WTJCOTJBNHdmdC8zaHhqV2ZBNTNWUFdsYS93UzBEcitRbzUxU2svTzZNek1tbXRXakx2WVZhTDhvQ3lZUFZHSDlyWXZ4cnlnVXFyVkZDZVZhS3U5Y1VwVWpPdXZTYzM1dUovOEJFZUZ1cTdBMm89PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2l6Q0NBZlFDQ1FDWTh0S2FNYzBCTWpBTkJna3Foa2lHOXcwQkFRVUZBRENCaVRFTE1Ba0dBMVVFQmhNQ1RrOHhFakFRQmdOVkJBZ1RDVlJ5YjI1a2FHVnBiVEVRTUE0R0ExVUVDaE1IVlU1SlRrVlVWREVPTUF3R0ExVUVDeE1GUm1WcFpHVXhHVEFYQmdOVkJBTVRFRzl3Wlc1cFpIQXVabVZwWkdVdWJtOHhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtRnVaSEpsWVhNdWMyOXNZbVZ5WjBCMWJtbHVaWFIwTG01dk1CNFhEVEE0TURVd09EQTVNakkwT0ZvWERUTTFNRGt5TXpBNU1qSTBPRm93Z1lreEN6QUpCZ05WQkFZVEFrNVBNUkl3RUFZRFZRUUlFd2xVY205dVpHaGxhVzB4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4RGpBTUJnTlZCQXNUQlVabGFXUmxNUmt3RndZRFZRUURFeEJ2Y0dWdWFXUndMbVpsYVdSbExtNXZNU2t3SndZSktvWklodmNOQVFrQkZocGhibVJ5WldGekxuTnZiR0psY21kQWRXNXBibVYwZEM1dWJ6Q0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUF0OGpMb3FJMVZUbHhBWjJheGlESVRoV2NBT1hkdThLa1ZVV2FOL1Nvb085TzBRUTdLUlVqU0dLTjlKSzY1QUZSRFhRa1dQQXU0SGxuTzRub1lsRlNMbll5RHhJNjZMQ3I3MXg0bGdGSmpxTGVBdkIvR3FCcUZmSVozWUsvTnJoblVxRndadTYzbkxyWmpjVVp4TmFQak9PU1JTRGFYcHYxa2I1azNqT2lTR0VDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQlFZajRjQWFmV2FZZmpCVTJ6aTFFbHdTdElhSjVueXAvcy84QjhTQVBLMlQ3OU1jTXljY1Azd1NXMTNMSGttTTFqd0tlM0FDRlhCdnFHUU4wSWJjSDQ5aHUwRktoWUZNL0dQREpjSUhGQnNpeU1CWENocHllOXZCYVRORUJDdFUzS2pqeUcwaFJUMm1BUTloK2JrUG1PdmxFby9hSDB4UjY4WjlodzRQRjEzdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEzLTA3LTA3VDExOjU1OjE4WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vb3BlbmlkcC5mZWlkZS5ubzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI19lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlZPWVNVQlZZSUNvTWJwbk5INEVCRHhBUWtKTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RW1rR1docVZvZ25vNWhja01UcG9ySHFwT0szVDZpZ2JRVXA2Zmkxc1pvcXFsd3cxSUtmc3REMW1LdzVjM21JcldyNjFnOTh4TFMxLzBnMW5hUWlpT0MzbDl6Y0g3QUFIOVdGWW5JejdGeUE4dmllKzBxTE1Dbno4cVVpZ21HWDNRbEdiQ1QzUHVUNDEzUWlZSm9DT2VXME5zYUpaWUNINUFOWnprSUJsdG9nPTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNpekNDQWZRQ0NRQ1k4dEthTWMwQk1qQU5CZ2txaGtpRzl3MEJBUVVGQURDQmlURUxNQWtHQTFVRUJoTUNUazh4RWpBUUJnTlZCQWdUQ1ZSeWIyNWthR1ZwYlRFUU1BNEdBMVVFQ2hNSFZVNUpUa1ZVVkRFT01Bd0dBMVVFQ3hNRlJtVnBaR1V4R1RBWEJnTlZCQU1URUc5d1pXNXBaSEF1Wm1WcFpHVXVibTh4S1RBbkJna3Foa2lHOXcwQkNRRVdHbUZ1WkhKbFlYTXVjMjlzWW1WeVowQjFibWx1WlhSMExtNXZNQjRYRFRBNE1EVXdPREE1TWpJME9Gb1hEVE0xTURreU16QTVNakkwT0Zvd2dZa3hDekFKQmdOVkJBWVRBazVQTVJJd0VBWURWUVFJRXdsVWNtOXVaR2hsYVcweEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReERqQU1CZ05WQkFzVEJVWmxhV1JsTVJrd0Z3WURWUVFERXhCdmNHVnVhV1J3TG1abGFXUmxMbTV2TVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBoYm1SeVpXRnpMbk52YkdKbGNtZEFkVzVwYm1WMGRDNXViekNCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBdDhqTG9xSTFWVGx4QVoyYXhpRElUaFdjQU9YZHU4S2tWVVdhTi9Tb29POU8wUVE3S1JValNHS045Sks2NUFGUkRYUWtXUEF1NEhsbk80bm9ZbEZTTG5ZeUR4STY2TENyNzF4NGxnRkpqcUxlQXZCL0dxQnFGZklaM1lLL05yaG5VcUZ3WnU2M25MclpqY1VaeE5hUGpPT1NSU0RhWHB2MWtiNWszak9pU0dFQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUJRWWo0Y0FhZldhWWZqQlUyemkxRWx3U3RJYUo1bnlwL3MvOEI4U0FQSzJUNzlNY015Y2NQM3dTVzEzTEhrbU0xandLZTNBQ0ZYQnZxR1FOMEliY0g0OWh1MEZLaFlGTS9HUERKY0lIRkJzaXlNQlhDaHB5ZTl2QmFUTkVCQ3RVM0tqanlHMGhSVDJtQVE5aCtia1BtT3ZsRW8vYUgweFI2OFo5aHc0UEYxM3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0idXJuOmF1dGgwOmxvZ2luLWRldjMiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fOTVkYThhZjQ4MjY4NmEwY2VjZDY0Y2I3Y2FmOGU4NzFiN2FjMTFkYWUxPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA3LTA3VDEyOjAwOjE4WiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDctMDdUMTE6NTQ6NDhaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTI6MDA6MThaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnVybjphdXRoMDpsb2dpbi1kZXYzPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wNy0wN1QxMToxMTo0MVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTk6NTU6MThaIiBTZXNzaW9uSW5kZXg9Il81ZDA2MDZhMGIxZmQ5Nzk4ZDJhMjg3MjE5M2UzOWE5MDdhM2MwYmE0MTUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJjbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPk1hdGlhcyBXb2xvc2tpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXRpYXN3QGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraUBybmQuZmVpZGUubm88L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uVGFyZ2V0ZWRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPjFiMTI0NmQ3MjgxOTdiYjQ3ZDA5MzQyYWE0ZjZjM2Y0N2Y0ZTkyYWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPldvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzIFdvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+bWF0aWFzd0BnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjYiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj53b2xvc2tpQHJuZC5mZWlkZS5ubzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xYjEyNDZkNzI4MTk3YmI0N2QwOTM0MmFhNGY2YzNmNDdmNGU5MmFlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+' } }, function(err, response, body) { if(err) return done(err); + if (response.statusCode !== 200) return done(new Error(response.body)); r = response; bod = body; done(); @@ -91,6 +93,36 @@ describe('saml 1.1 assertion', function () { }); }); + describe('signed assertion from okta', function () { + var r, bod; + + // SAMLResponse comes from Okta + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-okta', + form: { SAMLResponse: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hdXRoMDE0NS5hdXRoMC5jb20iIElEPSJpZDgxMzIzMDI4Njg0Njg5ODM4OTkzODY4MzEiIElzc3VlSW5zdGFudD0iMjAxMy0wOC0wM1QyMTo1NDo0My45NDJaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vd3d3Lm9rdGEuY29tL2s3eGtocTBqVUhVUFFBWFZNVUFOPC9zYW1sMjpJc3N1ZXI+PHNhbWwycDpTdGF0dXMgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJpZDgxMzIzMDI4Njg1NDEwMTk3NTU0MTQxMjEiIElzc3VlSW5zdGFudD0iMjAxMy0wOC0wM1QyMTo1NDo0My45NDJaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSI+PHNhbWwyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly93d3cub2t0YS5jb20vazd4a2hxMGpVSFVQUUFYVk1VQU48L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkODEzMjMwMjg2ODU0MTAxOTc1NTQxNDEyMSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjRHK3V2ZUttdGlCMUVrWTVCQXQrOGxtUXdqST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+UTgwTjZGVXI1L1lQdEV6UmxSZE1vUHUrYkwwTXNzRHhOVVkreXh5a3pibXhzSTBqb0VvL1NtbVNnWnJEWVFLVGxsWmsvS2Z6Qk1QRlY5eUJINCttRXpDVTVFM3h1Q3M5OWpaemFmY3czSzhtSU1USnkxWUh4amMzNTlkMjdSNXM1MGk5dzVQSHN1c1JvdjBNalFJb0oydzQ4R3k0RW5ZYVZpcUJSM1VWRXFFPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ25UQ0NBZ2FnQXdJQkFnSUdBVUJHSHhxVU1BMEdDU3FHU0liM0RRRUJCUVVBTUlHUk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFRwpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFakFRQmdOVkJBTU1DV3RzZFdkc1lXSnpNakVjTUJvR0NTcUdTSWIzRFFFSkFSWU4KYVc1bWIwQnZhM1JoTG1OdmJUQWVGdzB4TXpBNE1ETXlNVE00TXpoYUZ3MDBNekE0TURNeU1UTTVNemhhTUlHUk1Rc3dDUVlEVlFRRwpFd0pWVXpFVE1CRUdBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFCkNnd0VUMnQwWVRFVU1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFakFRQmdOVkJBTU1DV3RzZFdkc1lXSnpNakVjTUJvR0NTcUcKU0liM0RRRUpBUllOYVc1bWIwQnZhM1JoTG1OdmJUQ0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUFzQ0I5bEpUSApxQjd2ZE01amVPSDg0Y1c4dTdJSFl2NC9PQVBZRjBmQlllOXdKeTE5Q2d5TTJPZ2lBU3VBY0l0bkg0V2hCK2lvMlpQd2IvWHdsN1V1CjRYbVVFMGwrbWtDTnVEWXA1ZlhUWnh3djVHNkh2a0F4WFppbzBSazlUMFZFVENyb3hncFM1THhRL28vb3dqUjM5Uzd4elJuajZkZFgKM01xMnlHakt5QmNDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQUIxcUdOcVNOTExXcStSUGNQK3dPYVd0WXBKT0o4L01iWgpFV1dtOS9LS0hLWE02Si96Z1VVSVhaaTNjek1lTytZK1gxNFBSOGxHWG9BSGY1Yi9KYXZHOUZtRnZSbjRmR2E0NVZUVm8yR2ZNTjZLCmFJS0Ywb2JlQ2JZaS9RVWY4QitYaTF0U0lKbTFWQ0tSRTdubmxpUS9UekdhTnVsZ1dleVRiVmtHMC9YOExRPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdCB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+YWRtaW5Aa2x1Z2xhYnMuY29tPC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA4LTAzVDIxOjU5OjQzLjk0MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9hdXRoMDE0NS5hdXRoMC5jb20iLz48L3NhbWwyOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMy0wOC0wM1QyMTo0OTo0My45NDNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDgtMDNUMjE6NTk6NDMuOTQyWiIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5odHRwczovL2F1dGgwMTQ1LmF1dGgwLmNvbTwvc2FtbDI6QXVkaWVuY2U+PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEzLTA4LTAzVDIxOjU0OjQzLjk0MloiIFNlc3Npb25JbmRleD0iaWQxMzc1NTY2ODgzOTQyLjY4NzYxMDQzNyIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iUm9sZSIgTmFtZUZvcm1hdD0ibnMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkFkbWluPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=' } + }, function(err, response, body) { + if(err) return done(err); + if (response.statusCode !== 200) return done(new Error(response.body)); + r = response; + bod = body; + done(); + }); + }); + + it('should validate response and not signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']).to.equal('admin@kluglabs.com'); + expect(user['Role']).to.equal('Admin'); + }); + }); + describe('signed assertion from ping', function () { var r, bod; @@ -102,6 +134,7 @@ describe('saml 1.1 assertion', function () { form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iXzRhNDMyMzEzNmNhMGFkNDU3OGNiIiBJc3N1ZUluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIxWiIgSUQ9IklEMzBlNjM2OTcyYzgxYmNkN2E1MzBkMWJkNjc4MmM4YmNiZTU2Y2U4NjEwZDM0ZDJjMDIiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPlBpbmdDb25uZWN0PC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIxWiIgSUQ9IklENzc1MzVlNjc2YjM0ZDQyNzAzMWM3NTM5ODk2Nzg5YzE5NTM4ZTdlNmRmNTY5YWQ4MDIiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sOklzc3Vlcj5QaW5nQ29ubmVjdDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CjxkczpTaWduZWRJbmZvPgo8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CjxkczpSZWZlcmVuY2UgVVJJPSIjSUQ3NzUzNWU2NzZiMzRkNDI3MDMxYzc1Mzk4OTY3ODljMTk1MzhlN2U2ZGY1NjlhZDgwMiI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+elRZdENWTVpBUDJYZGFJRDM3VlMyZ1MrTEwwPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KUUNaRGtMMXRzZzFISDNtQVd3UDJzYWlRVFNldTBsTTdmdXNCQmlsL3RDdGpkU2xlZXgra1JETFpvY2p1SytVcDEvN0poS0NOVVE2SApOcVd0cWZHVVJpcUpaKzI5UVoxdzZibU93YXVzZzFiUkJGb0VtUkd0cER4dTBwNHNXemlOdzJ0eU81b1ZWSDYwaEFmZllHTjcweUg0CkUxd2t1emVhRVhOWFhGaEFKeHNOVGo1SkdEZmNld1U5UjQvVW1yTlVYWTdrdkJRV3BRcmI1VE5TNjNrL0hhaEdsN3pPNzJla1FVK04KU0FUU0Eyb2hJU09obVBTbUVyQVVaQkI2Z0FSQ2srT2xWRld0VS9NUnFFMlo5UWFXNndkYlBnVkg0d2JYbnA4YkcxdTQ0VHk5bUFDWApiKzhXT0F3NHBYTkxXYzVZK2dKaVFyaUdyb3p6b0pQaDVGL3FDZz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUZ4akNDQks2Z0F3SUJBZ0lRYXFiblNYTklDQWRmVFo4Sm9pcU9VakFOQmdrcWhraUc5dzBCQVFVRkFEQmlNUXN3Q1FZRFZRUUcKRXdKVlV6RWhNQjhHQTFVRUNoTVlUbVYwZDI5eWF5QlRiMngxZEdsdmJuTWdUQzVNTGtNdU1UQXdMZ1lEVlFRREV5ZE9aWFIzYjNKcgpJRk52YkhWMGFXOXVjeUJEWlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrd0hoY05NVEl3TXpBeU1EQXdNREF3V2hjTk1UUXdPREk0Ck1qTTFPVFU1V2pDQnp6RUxNQWtHQTFVRUJoTUNWVk14RGpBTUJnTlZCQkVUQlRnd01qQXlNUXN3Q1FZRFZRUUlFd0pEVHpFUE1BMEcKQTFVRUJ4TUdSR1Z1ZG1WeU1SSXdFQVlEVlFRSkV3bFRkV2wwWlNBeE1EQXhHVEFYQmdOVkJBa1RFREV3TURFZ01UZDBhQ0JUZEhKbApaWFF4SWpBZ0JnTlZCQW9UR1ZCcGJtY2dTV1JsYm5ScGRIa2dRMjl5Y0c5eVlYUnBiMjR4R0RBV0JnTlZCQXNURDFObFkzVnlaU0JNCmFXNXJJRk5UVERFbE1DTUdBMVVFQXhNY2MzTnZMbU52Ym01bFkzUXVjR2x1WjJsa1pXNTBhWFI1TG1OdmJUQ0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKZjF1UnZkSTJIdHJtNFNLUTZJd0xtSk9MeXJZdDNvdlJHaUJjejVoLzdmM3BqQwp4UjNYaml1dlVzZjR3T0pVWDAwRzNhcXpvK1o3VGVIRkJPOXA1UnBPWlFwK01tRDFGWko4ZlNUQVZjTDhUZHZKRjFKWUNaZEt3bCtMCk1MS0ZtWnZRMFljR0NOcEVmL1NRRlI1VlJUZzNmekV3eWdMMklsRFpYbXJ6RklBTk04R0JGUFNrZ3JoZitad3lsNnY1TVo2VEhQemUKSlpzMkZnek05MjVkZUNhZDUwMWZJOWtsdnRyRVN6NCtrZUxITEN3TFU2dCtKYW5vMzJneHZLYzNLZ2VyWlJkZ2pEcGI1MVpjRE10WQo4dTZBMXVVUGpnSmdPTHkvVFd5NUpXaE4vQmlwQkNGWEFXRTZCRDdKb3lmUEJTTjlRaE51cWR2WHM3NVhyRmxmNUk4Q0F3RUFBYU9DCkFnZ3dnZ0lFTUI4R0ExVWRJd1FZTUJhQUZEeEI0bzhJQ0tsTUpZbU5iY1U0MFB5RmpHSVhNQjBHQTFVZERnUVdCQlRRdHNIWU0wU0UKK0JwUGdUcUFudDhtb05CeHp6QU9CZ05WSFE4QkFmOEVCQU1DQmFBd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhTVUVGakFVQmdncgpCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdhd1lEVlIwZ0JHUXdZakJnQmd3ckJnRUVBWVlPQVFJQkF3RXdVREJPQmdnckJnRUZCUWNDCkFSWkNhSFIwY0RvdkwzZDNkeTV1WlhSM2IzSnJjMjlzZFhScGIyNXpMbU52YlM5c1pXZGhiQzlUVTB3dGJHVm5ZV3d0Y21Wd2IzTnAKZEc5eWVTMWpjSE11YW5Od01Ib0dBMVVkSHdSek1IRXdOcUEwb0RLR01HaDBkSEE2THk5amNtd3VibVYwYzI5c2MzTnNMbU52YlM5TwpaWFIzYjNKclUyOXNkWFJwYjI1elgwTkJMbU55YkRBM29EV2dNNFl4YUhSMGNEb3ZMMk55YkRJdWJtVjBjMjlzYzNOc0xtTnZiUzlPClpYUjNiM0pyVTI5c2RYUnBiMjV6WDBOQkxtTnliREJ6QmdnckJnRUZCUWNCQVFSbk1HVXdQQVlJS3dZQkJRVUhNQUtHTUdoMGRIQTYKTHk5M2QzY3VibVYwYzI5c2MzTnNMbU52YlM5T1pYUjNiM0pyVTI5c2RYUnBiMjV6WDBOQkxtTnlkREFsQmdnckJnRUZCUWN3QVlZWgphSFIwY0RvdkwyOWpjM0F1Ym1WMGMyOXNjM05zTG1OdmJUQW5CZ05WSFJFRUlEQWVnaHh6YzI4dVkyOXVibVZqZEM1d2FXNW5hV1JsCmJuUnBkSGt1WTI5dE1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQ0h1elNEaHg0Ukd5N1JiQ0FJMG1maWR2bXR6ZmFMVm9LaUIzVFoKSlVmNmpreXF5NmN3bjA5bjQxdW1kdUpZRHU4K2p2ODFKZUxXdGpabWxYZmhzb3ZhQlRJRVd4aUkxTlFLNlY5Rjk3ZDM3bHF5c3ZJbQprSUliaFVKaEJvSW5ZUldLM1dxYXd6V295Vjh2eFAxaDdNam81c1BOZ3FmTnNVVm5iOVBJODA0bFg3UEZZSHJxS0tudXJxb09kTHJvCnpGU2pBeUU0NElFNWdHWWVqN05SbE5EY1VRcEZ3Yjd6MkJqTVJtQ3RReTA2VlRjSFVlZDdNcWc5WHNNVHA4WXlDbW9uWkFlTGpXYTkKZnFDcVFJZzZvT3BTNzhKeXN4bGVFM3YvUWtYd0tmdGwzZGFiT2dwL1hDMzF6VW1MRDhqTzZLYmRpTzhrQ1B1TFFIUEl2c0ZvYXRDSQo8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KPC9kczpYNTA5RGF0YT4KPGRzOktleVZhbHVlPgo8ZHM6UlNBS2V5VmFsdWU+CjxkczpNb2R1bHVzPgpsL1c1RzkwalllMnViaElwRG9qQXVZazR2S3RpM2VpOUVhSUZ6UG1IL3QvZW1NTEZIZGVPSzY5U3gvakE0bFJmVFFiZHFyT2o1bnROCjRjVUU3Mm5sR2s1bENuNHlZUFVWa254OUpNQlZ3dnhOMjhrWFVsZ0psMHJDWDRzd3NvV1ptOURSaHdZSTJrUi85SkFWSGxWRk9EZC8KTVRES0F2WWlVTmxlYXZNVWdBMHp3WUVVOUtTQ3VGLzVuREtYcS9reG5wTWMvTjRsbXpZV0RNejNibDE0SnAzblRWOGoyU1crMnNSTApQajZSNHNjc0xBdFRxMzRscWVqZmFERzhwemNxQjZ0bEYyQ01PbHZuVmx3TXkxank3b0RXNVErT0FtQTR2TDlOYkxrbGFFMzhHS2tFCklWY0JZVG9FUHNtako4OEZJMzFDRTI2cDI5ZXp2bGVzV1Yva2p3PT0KPC9kczpNb2R1bHVzPgo8ZHM6RXhwb25lbnQ+QVFBQjwvZHM6RXhwb25lbnQ+CjwvZHM6UlNBS2V5VmFsdWU+CjwvZHM6S2V5VmFsdWU+CjwvZHM6S2V5SW5mbz4KPC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnRlc3R1c2VyMUB0ZXN0aWRwLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzRhNDMyMzEzNmNhMGFkNDU3OGNiIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDhUMjA6MTA6MjUuNTIxWiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxMy0wNy0wOFQyMDoxMDoyNS41MjFaIiBOb3RCZWZvcmU9IjIwMTMtMDctMDhUMTk6MzA6MjUuNTIxWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT51cm46YXV0aDA6bG9naW4tZGV2Mzwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIyWiIgU2Vzc2lvbkluZGV4PSJsTGJTYlhpZmFPREx3T2hCZ1AyZk5PdVc5RmoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48c2FtbDpBdXRoZW50aWNhdGluZ0F1dGhvcml0eT50ZXN0aWRwLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbTwvc2FtbDpBdXRoZW50aWNhdGluZ0F1dGhvcml0eT48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iUGluZ09uZS5pZHBpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+YjE0ZWIwYjYtYTMzYS00MTRkLTljNzctMDEzMWUzMjRhNWI3PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9Im5hbWVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+dGVzdF9uYW1laWQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iUGluZ09uZS5BdXRoZW50aWNhdGluZ0F1dGhvcml0eSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+dGVzdGlkcC5jb25uZWN0LnBpbmdpZGVudGl0eS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=' } }, function(err, response, body) { if(err) return done(err); + if (response.statusCode !== 200) return done(new Error(response.body)); r = response; bod = body; done(); @@ -119,6 +152,19 @@ describe('saml 1.1 assertion', function () { }); }); + it('should validate an assertion from adfs', function (done) { + var signedAssertion = 'urn:auth0:auth0john@fabrikam.comurn:oasis:names:tc:SAML:1.0:cm:bearerjohn@fabrikam.comJohn FabrikamJohnFabrikamjohn@fabrikam.comurn:oasis:names:tc:SAML:1.0:cm:bearer8Yi8+vbZagbCsopdmXFjeFvexHlkHYAViSf9w3yFbWo=SzQaNU4uo4IPJTsK3DZkYNx1FzpAoIxXyWiOMJyuUScYbvUHMjxoPsh6KJrkLwUIGnv07TpTFKrhjA/tGzLCwPMOWlpGp66N/U9wWe3vshHyW34/oAq14EwptjmXEPpHjR2P+giJAUJ0VTXIvbTsGNLuDVV/px43CoIX2D6jc8yt8VffAMX4R+WzI2a6QRMqglTbxzFEfcJC1yK9jT/UzjRIKe9bMS2T8kupDaGOWYj4XMh9BkIVXV40jJakss+cF4wjO/LWfpbwZwMzfOXBQV+W6O5X/HfTod/4zzmdFKjArx6vXQl7vCRr9AXUGgbPWdtSVK7HSMCyjZiAOGcr0Q==MIIC5DCCAcygAwIBAgIQGmfE0ae34q1IXJvpfhwYVDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSB0ZXN0LWFkZnMuYXV0aDEwLmNvbTAeFw0xMzAyMTIwMzU3MzlaFw0xNDAyMTIwMzU3MzlaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIHRlc3QtYWRmcy5hdXRoMTAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuNaTwlMjKeXVabhVQJjmjousrLuYi5hxELIQX80ZT3/kTsRUQaP6AoCMEYjofcV6QnxQeHxHJgzcy5t4bmHozIsLYlroH7PaDNqXLnX+6ivAX1nFa9IOeaw3X206oGmCSo6pJxbW8LwXjYC7BYrINitm/mgcOrypbasADvO1j+fyjkBTFPuF2+La4ehwGCKdrvZZF0lDKiHPbCI8xqH7HOgX+QLtnhK2WclDIpcPd2eeaVq1fB8XBwTXNOv2ZdaEi2i3mDXQoa8wZVozqs5h6OKVXl7hNQH2/qUDAZc15kZcR9Zcxyo5v0GtqYS3J70Q+8HkuQfYTBGR+Cum9S+bfQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAVf930SJfJquM/4A3vibsmjRuCytHeEXLrEyt0j/NBDnyLqFMoL7qILfqtK3oSmQNb6PRQiLLFJlIz7fnkj6k3hm4qpJJvjyqcxYDeW6SK8yP7zKNGMeyIMs/humVgXWALkTF6PoFIfFo2lfnHAzHqPE06WN+hcYHRBjuR5/T+58l2LH9vJjPHuceGkWXyQCB/Hd2riNElXODIBEKzzKL923rm3oPaH/Un8TYnpyRRVKLd40DiptbY/E7YpzWrOsUppjsm0pUhdvBYjihLc6PhALzoUC3GwMjUK0T70gqRoGzsiqRIjIEC35QBGKavzhya2DLTZK3Pf70eJpkp1bGL'; + + var saml_passport = new SamlPassport({thumbprint: 'C9018666E764613366C20BC011D947B39BED236B', + realm: 'urn:auth0:auth0', + checkExpiration: false}); // dont check expiration since we are harcoding the token + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + if (err) return done(err); + assert.ok(profile); + done(); + }); + + }); // it('should validate a saml response from datapower', function (done) { // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; diff --git a/test/saml20.tests.js b/test/saml20.tests.js index 2ec52ec..ba27851 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -7,30 +7,31 @@ var assert = require('assert'), SamlPassport = require('../lib/passport-wsfed-saml2/saml').SAML; describe('saml 2.0 assertion', function () { + // cert created with: + // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem + + var options = { + cert: fs.readFileSync(__dirname + '/test-auth0.pem'), + key: fs.readFileSync(__dirname + '/test-auth0.key'), + issuer: 'urn:issuer', + lifetimeInSeconds: 600, + audiences: 'urn:myapp', + attributes: { + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'foo@bar.com', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar' + }, + nameIdentifier: 'foo', + nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' + }; it('should parse attributes', function (done) { - // cert created with: - // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem - - var options = { - cert: fs.readFileSync(__dirname + '/test-auth0.pem'), - key: fs.readFileSync(__dirname + '/test-auth0.key'), - issuer: 'urn:issuer', - lifetimeInSeconds: 600, - audiences: 'urn:myapp', - attributes: { - 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'foo@bar.com', - 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar' - }, - nameIdentifier: 'foo', - nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' - }; var signedAssertion = saml20.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); - var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + if (err) return done(err); assert.ok(profile); assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); @@ -42,4 +43,43 @@ describe('saml 2.0 assertion', function () { }); }); + + it('should parse attributes with multiple values', function (done) { + + options.attributes = { + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups': ['Admins', 'Contributors'] + }; + + var signedAssertion = saml20.create(options); + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + if (err) return done(err); + + assert.ok(profile); + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups'].should.be.an.instanceOf(Array); + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups'].should.include('Admins'); + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups'].should.include('Contributors'); + done(); + }); + + }); + + it('should validate expiration', function (done) { + + options.lifetimeInSeconds = -10000; + + var signedAssertion = saml20.create(options); + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + should.exists(err); + err.message.should.equal('assertion has expired.'); + should.not.exists(profile); + + done(); + }); + + }); + }); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index e5515cf..8f867bb 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -18,9 +18,11 @@ describe('samlp', function () { var r, bod; before(function (done) { + // this samlp request comes from Salesforce doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', 'http://localhost:5051/callback', function(err, resp) { if (err) return done(err); + if (resp.response.statusCode !== 200) return done(new Error(resp.body)); r = resp.response; bod = resp.body; done(); @@ -69,6 +71,7 @@ describe('samlp', function () { doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', 'http://localhost:5051/callback/samlp-signedresponse', function(err, resp) { if (err) return done(err); + if (resp.response.statusCode !== 200) return done(new Error(resp.body)); r = resp.response; bod = resp.body; done(); From 6241c8a5ba6266eb1856872c5a058f1169ddfab0 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Wed, 7 Aug 2013 16:42:53 -0300 Subject: [PATCH 036/203] bump to 0.7.0 --- package.json | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index fa670ee..fad2562 100644 --- a/package.json +++ b/package.json @@ -1,14 +1,14 @@ { "name": "passport-wsfed-saml2", - "version": "0.6.1", - "description": "WS-federation with SAML 2 and 1.1 tokens for Passport (used on Microsoft products like Windows Azure Active Directory / Access Control Service and ADFS).", + "version": "0.7.0", + "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" }, "author": { "name": "Matias Woloski", - "email": "matias@auth10.com", - "url": "http://auth10.com/" + "email": "matias@auth0.com", + "url": "http://auth0.com/" }, "repository": { "type": "git", @@ -53,12 +53,15 @@ } ], "keywords": [ + "saml", + "wsfed", "passport", + "auth0", "azure", "auth", "authn", "authentication", "identity", - "acs" + "adfs" ] } From a0c100e6b0c71159dec088aaf585aa84229472c0 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Wed, 7 Aug 2013 16:59:29 -0300 Subject: [PATCH 037/203] add done(error) on test failing on travis --- test/saml11.tests.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/saml11.tests.js b/test/saml11.tests.js index a3a0fea..b1b033a 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -64,7 +64,8 @@ describe('saml 1.1 assertion', function () { var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { - + if (error) return done(error); + assert.ok(profile); assert.equal('вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); assert.equal('сообщить вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); From 4e2633802744f314821ac1d132064901bff61480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Sep 2013 13:39:59 -0300 Subject: [PATCH 038/203] fix broken test --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index fad2562..55f74f3 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "dependencies": { "passport": "0.1.x", "xml2js": "0.1.x", - "xml-crypto": "git://github.com/auth0/xml-crypto.git", + "xml-crypto": "~0.0.17", "xmldom": "~0.1.15", "xtend": "~2.0.3", "ejs": "~0.8.3", @@ -38,7 +38,7 @@ "xpath": "0.0.5", "xtend": "~2.0.3", "moment": "~1.7.2", - "saml": "~0.4.2", + "saml": "~0.4.4", "wsfed": "~0.3.5", "should": "~1.1.0", "samlp": "~0.4.3" From bc18dc50c64c6fc26895c1cc827e4b6fe4b6b936 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Sep 2013 13:40:12 -0300 Subject: [PATCH 039/203] 0.7.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 55f74f3..d3c239d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.7.0", + "version": "0.7.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 04e92931fc49771e261736c1b3db6a2f3f2a4477 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Sep 2013 16:05:31 -0300 Subject: [PATCH 040/203] add jwt support --- lib/passport-wsfed-saml2/strategy.js | 89 ++++++++++++++++++++-------- package.json | 3 +- test/jwt.tests.js | 45 ++++++++++++++ 3 files changed, 111 insertions(+), 26 deletions(-) create mode 100644 test/jwt.tests.js diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index f2e5c2a..93a4ca4 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -4,6 +4,7 @@ var saml = require('./saml'); var wsfed = require('./wsfederation'); var samlp = require('./samlp'); var xmldom = require('xmldom'); +var jwt = require('jsonwebtoken'); function Strategy (options, verify) { if (typeof options == 'function') { @@ -23,44 +24,82 @@ function Strategy (options, verify) { passport.Strategy.call(this); this._verify = verify; - this._saml = new saml.SAML(this.options); + if (!this.options.jwt) { + this._saml = new saml.SAML(this.options); + this._samlp = new samlp(this.options, this._saml); + } else { + this._jwt = this.options.jwt; + } this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); - this._samlp = new samlp(this.options, this._saml); } util.inherits(Strategy, passport.Strategy); -Strategy.prototype.authenticate = function (req, opts) { +Strategy.prototype._authenticate_saml = function (req) { var self = this; - var protocol = opts.protocol || this.options.protocol; + + if (req.body.wresult.indexOf('<') === -1) { + return self.fail('wresult should be a valid xml', 400); + } - function executeWsfed(req) { - if (req.body && req.method == 'POST' && req.body.wresult) { - if (req.body.wresult.indexOf('<') === -1) { - return self.fail('wresult should be a valid xml', 400); + var token = self._wsfed.extractToken(req); + self._saml.validateSamlAssertion(token, function (err, profile) { + if (err) { + return self.error(err); + } + + var verified = function (err, user, info) { + if (err) { + return self.error(err); } - // We have a response, get the user identity out of it - var token = self._wsfed.extractToken(req); - self._saml.validateSamlAssertion(token, function (err, profile) { - if (err) { - return self.error(err); - } + if (!user) { + return self.fail(info); + } - var verified = function (err, user, info) { - if (err) { - return self.error(err); - } + self.success(user, info); + }; - if (!user) { - return self.fail(info); - } + self._verify(profile, verified); + }); +}; - self.success(user, info); - }; +Strategy.prototype._authenticate_jwt = function (req) { + var self = this; + var token = req.body.wresult; + jwt.verify(token, this.options.cert, this._jwt, function (err, profile) { + if (err) { + return self.error(err); + } - self._verify(profile, verified); - }); + var verified = function (err, user, info) { + if (err) { + return self.error(err); + } + + if (!user) { + return self.fail(info); + } + + self.success(user, info); + }; + + self._verify(profile, verified); + }); +}; + +Strategy.prototype.authenticate = function (req, opts) { + var self = this; + var protocol = opts.protocol || this.options.protocol; + + function executeWsfed(req) { + if (req.body && req.method == 'POST' && req.body.wresult) { + // We have a response, get the user identity out of it + if (self._jwt) { + self._authenticate_jwt(req); + } else { + self._authenticate_saml(req); + } } else { // Initiate new ws-fed authentication request var params = self.authorizationParams(opts); diff --git a/package.json b/package.json index d3c239d..b42dd82 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,8 @@ "xtend": "~2.0.3", "ejs": "~0.8.3", "xpath": "0.0.5", - "cryptiles": "~0.2.2" + "cryptiles": "~0.2.2", + "jsonwebtoken": "~0.1.0" }, "devDependencies": { "chai": "~1.5.0", diff --git a/test/jwt.tests.js b/test/jwt.tests.js new file mode 100644 index 0000000..1861756 --- /dev/null +++ b/test/jwt.tests.js @@ -0,0 +1,45 @@ +var expect = require('chai').expect; +var jwt = require('jsonwebtoken'); +var fs = require('fs'); +var Strategy = require('../lib/passport-wsfed-saml2/strategy'); + +var cert = { + pub: fs.readFileSync(__dirname + '/test-auth0.pem'), + key: fs.readFileSync(__dirname + '/test-auth0.key') +}; + +var s = new Strategy({ + cert: cert.pub, + jwt: { + algorithm: 'RS256' + } +}, function (profile, done) { + done(null, profile); +}); + +describe('jwt support', function () { + + it('should work', function (done) { + s.success = function (user) { + expect(user.foo).to.equal('bar'); + done(); + }; + + s.fail = done; + s.error = done; + + var token = jwt.sign({ + foo: 'bar' + }, cert.key, { algorithm: 'RS256'}); + + var req = { + method: 'POST', + body: { + wresult: token + } + }; + + s.authenticate(req, {}); + }); + +}); \ No newline at end of file From 3693427d80073aa52f4a65155ab8db98cd7d4927 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Sep 2013 16:05:38 -0300 Subject: [PATCH 041/203] 0.8.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b42dd82..3d2199d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.7.1", + "version": "0.8.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 48433738b3957b9b318525dec1e96f8939e99e5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Sep 2013 16:09:11 -0300 Subject: [PATCH 042/203] add jwt to doco --- README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/README.md b/README.md index a6531b7..c6408c7 100644 --- a/README.md +++ b/README.md @@ -53,3 +53,30 @@ app.post('/login/callback', ); ``` +### Jwt + +Although this started as wsfed&saml we added support for wsfed&jwt. Usage is + +~~~javascript +passport.use(new wsfedsaml2( + { + jwt: { + //same options than node-jsonwebtoken + algorithm: 'RS256' + }, + cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg=' + }, + function(profile, done) { + findByEmail(profile.email, function(err, user) { + if (err) { + return done(err); + } + return done(null, user); + }); + }) +)); +~~~ + +### License + +MIT 2013 - AUTH10 LLC From 22b5ba87be4ac51dd1ca4e1a145be41d23a483c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Sep 2013 16:09:14 -0300 Subject: [PATCH 043/203] 0.8.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3d2199d..17800f6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.0", + "version": "0.8.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 8c6464d5e4486b3c45e54163453d2ddab256ef8b Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Fri, 22 Nov 2013 13:46:52 -0300 Subject: [PATCH 044/203] support for samlp requests when idp has question mark in URL like ping --- lib/passport-wsfed-saml2/samlp.js | 6 ++++-- test/fixture/samlp-server.js | 13 +++++++++++++ test/samlp.tests.js | 31 +++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 04b9ddc..94cfacd 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -4,6 +4,7 @@ var qs = require('querystring'); var zlib = require('zlib'); var xtend = require('xtend'); var templates = require('./templates'); +var url = require('url'); var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; @@ -40,8 +41,9 @@ Samlp.prototype = { } function buildUrl(buffer) { - var url = options.identityProviderUrl + '?' + qs.encode( { SAMLRequest: buffer.toString('base64'), RelayState: options.RelayState || '' }); - return url; + var parsed = url.parse(options.identityProviderUrl, true); + var samlRequest = options.identityProviderUrl.split('?')[0] + '?' + qs.encode( xtend(parsed.query, { SAMLRequest: buffer.toString('base64'), RelayState: options.RelayState || '' })); + return samlRequest; } }, diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 06bd434..612d742 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -23,6 +23,18 @@ passport.use('samlp', new Strategy( }) ); +passport.use('samlp-idpurl-with-querystring', new Strategy( + { + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: identityProviderUrl + '?foo=bar', + thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + }, + function(profile, done) { + return done(null, profile); + }) +); + passport.use('samlp-signedresponse', new Strategy( { path: '/callback', @@ -151,6 +163,7 @@ module.exports.start = function(options, callback){ }); app.get('/login', passport.authenticate('samlp', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-idp-with-querystring', passport.authenticate('samlp-idpurl-with-querystring', { protocol: 'samlp', RelayState: relayState })); app.post('/callback', function(req, res, next) { diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 8f867bb..89f84c5 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -199,6 +199,37 @@ describe('samlp', function () { }); + describe('samlp request with idp url containing querystring', function () { + var r, bod; + + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login-idp-with-querystring' + }, function (err, resp, b){ + if(err) return callback(err); + r = resp; + bod = b; + done(); + }); + }); + + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + }); + + it('should have SAMLRequest and foo in querystring', function(){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + expect(querystring).to.have.property('foo'); + }); + + }); + }); function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { From af7af0c34b4308f331021b210d7b629e35c2f965 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Fri, 22 Nov 2013 13:48:08 -0300 Subject: [PATCH 045/203] bump to 0.8.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 17800f6..86479c9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.1", + "version": "0.8.2", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 3d73e12d40a5f1fa16672d0e9917eebc9798600a Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 20 Jan 2014 14:20:51 -0300 Subject: [PATCH 046/203] validate if saml response contains assertion element --- lib/passport-wsfed-saml2/samlp.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 94cfacd..c97b0ca 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -59,7 +59,7 @@ Samlp.prototype = { var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; var token = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion')[0]; // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion - if (token.prefix && !token.getAttributeNS(saml2Namespace, token.prefix)) { + if (token && token.prefix && !token.getAttributeNS(saml2Namespace, token.prefix)) { token.setAttribute('xmlns:' + token.prefix, token.lookupNamespaceURI(token.prefix)); } @@ -74,6 +74,10 @@ Samlp.prototype = { var assertion = self.extractAssertion(samlResponse); + if (!assertion) { + return callback(new Error('saml response does not contain an Assertion element')); + } + var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; From 258272ed0aecf756c3d232d25d72497061f6e1e4 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 20 Jan 2014 14:21:08 -0300 Subject: [PATCH 047/203] 0.8.3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 86479c9..eed220b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.2", + "version": "0.8.3", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 4727b0020461b14015fda8b45eeb12aaef3fa755 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:17:12 -0300 Subject: [PATCH 048/203] support encrypted assertions. closes #3 --- lib/passport-wsfed-saml2/samlp.js | 87 +++++++++++++++++++++---------- package.json | 3 +- test/samlp.tests.js | 76 ++++++++++++++++++++++++++- test/test-decryption.key | 27 ++++++++++ 4 files changed, 164 insertions(+), 29 deletions(-) create mode 100644 test/test-decryption.key diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index c97b0ca..4201cc4 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -5,6 +5,7 @@ var zlib = require('zlib'); var xtend = require('xtend'); var templates = require('./templates'); var url = require('url'); +var xmlenc = require('xml-encryption'); var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; @@ -52,54 +53,86 @@ Samlp.prototype = { return decoded; }, - extractAssertion: function(samlpResponse) { - if (typeof samlpResponse === 'string') + extractAssertion: function(samlpResponse, callback) { + if (typeof samlpResponse === 'string') { samlpResponse = new xmldom.DOMParser().parseFromString(samlpResponse); + } var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; var token = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion')[0]; + + if (!token) { + // check for encrypted assertion + var encryptedToken = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'EncryptedAssertion')[0]; + if (encryptedToken) { + + var encryptedData = encryptedToken.getElementsByTagNameNS('http://www.w3.org/2001/04/xmlenc#', 'EncryptedData')[0]; + if (!encryptedData) { + return callback(new Error('EncryptedData not found.')); + } + + if (!this.options.decryptionKey) { + return callback(new Error('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.')); + } + + xmlenc.decrypt(encryptedData.toString(), {key: this.options.decryptionKey}, function (err, decryptedToken) { + if (err) { return callback(err); } + token = decryptedToken; + }); + } + } + // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion if (token && token.prefix && !token.getAttributeNS(saml2Namespace, token.prefix)) { token.setAttribute('xmlns:' + token.prefix, token.lookupNamespaceURI(token.prefix)); } - return token; + callback(null, token); }, validateSamlResponse: function (samlResponse, callback) { var self = this; - if (typeof samlResponse === 'string') + if (typeof samlResponse === 'string') { samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); - - var assertion = self.extractAssertion(samlResponse); - - if (!assertion) { - return callback(new Error('saml response does not contain an Assertion element')); } - var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; - var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - var isAssertionSigned = xpath.select(samlAssertionSignaturePath, assertion).length > 0; - - if (!isResponseSigned && !isAssertionSigned) - return callback(new Error('neither the response nor the assertion are signed')); - - if (isResponseSigned) { - self._saml.validateSignature(samlResponse, { - cert: self.options.cert, - thumbprint: self.options.thumbprint, - signaturePath: samlResponseSignaturePath }, function(err) { - if (err) return callback(err); + self.extractAssertion(samlResponse, function (err, assertion) { + + if (err) { return callback(err); } + if (!assertion) { + return callback(new Error('saml response does not contain an Assertion element')); + } + + var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; + var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isAssertionSigned = xpath.select(samlAssertionSignaturePath, assertion).length > 0; + + if (!isResponseSigned && !isAssertionSigned) { + return callback(new Error('neither the response nor the assertion are signed')); + } + + if (isResponseSigned) { + self._saml.validateSignature(samlResponse, { + cert: self.options.cert, + thumbprint: self.options.thumbprint, + signaturePath: samlResponseSignaturePath + }, + function (err) { + if (err) { return callback(err); } - if (!isAssertionSigned) return self._saml.parseAssertion(assertion, callback); + if (!isAssertionSigned) { + return self._saml.parseAssertion(assertion, callback); + } return self._saml.validateSamlAssertion(assertion, callback); }); - } else if (isAssertionSigned) { - return self._saml.validateSamlAssertion(assertion, callback); - } + } + else if (isAssertionSigned) { + return self._saml.validateSamlAssertion(assertion, callback); + } + }); } }; diff --git a/package.json b/package.json index eed220b..9ddfc15 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,8 @@ "ejs": "~0.8.3", "xpath": "0.0.5", "cryptiles": "~0.2.2", - "jsonwebtoken": "~0.1.0" + "jsonwebtoken": "~0.1.0", + "xml-encryption": "~0.3.4" }, "devDependencies": { "chai": "~1.5.0", diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 89f84c5..c920dec 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -4,8 +4,10 @@ var request = require('request'); var qs = require('querystring'); var cheerio = require('cheerio'); var xmldom = require('xmldom'); +var Samlp = require('../lib/passport-wsfed-saml2/samlp'); +var fs = require('fs'); -describe('samlp', function () { +describe('samlp (functional tests)', function () { before(function (done) { server.start(done); }); @@ -232,6 +234,78 @@ describe('samlp', function () { }); +describe('samlp (unit tests)', function () { + + describe('extractAssertion', function () { + + var samlpResponse = 'urn:fixture-testurn:fixture-test12345678https://auth0-dev-ed.my.salesforce.com12345678jfoo@gmail.comJohn FooJohnFoourn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedYkV3DdlEa19Gb0eE3jTYTVPalV1kZ88fbIv4blO9T1Y=ZiINpNlahQlp1JbgFsamI1/pZ+zcPsZboESVayxBMtrUBYNC4IG2VBnqku7paDxJQ7624CvcNzAYWYCv/2/c67Bv6YhQwK1rb4DPEL6OvbI8FNkYAhTNNw5UhUTEMjnJ7AncV/svUTYyIOyktuCvQh3tR4teZJV+BM3IKj9vRQQbCRNSUVHJEe963ma5HcCyo+RhIKU1pm4+ycswOlY9F115roKB4RNRJLs7Z5fyzhbOoCUujR9MMKHHq+CWaYvh5SkjaH1wMorlPlJtq5dhTZtDRhj4HwxYpCG5b4NF2vp+Jpni4dDFKou0Lzk0k6ueCJGcNHfidfEB3RB20Hed2g==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo='; + var samlpReponseWithEncryptedAssertion = ' https://adfs.fmi.ch/adfs/services/trust CN=fmi-test.auth0.com 17575331292066593326 PfbLmL7Eb2NL5lzxyuEuKolgDtHjAuVDV9AaDKp1UqxSKXPGQaF3FTFt7Gl7FRmEdfjMD4xyMII4c6itasV7/N1WIXVw6j9VpvBZ2WPH4lT2gHVXEnCSko+rlk0OfFQN/XFY1HZrPb0PeSYtbuR6Fe2KDLVYYSElrGyn9lbU/zgLB+cV3OiidMamymcTjBYxr3+wv8zhEl2jDYd/04wULeDydhNpA8KFzjy/DQwE4GwlOfuCCtZboai1OXA3++KEuwH2QrC5lRpmnpwV1OJj+ozWDmJrRLA/vpxakQfMzjBcMoBx5wy0dvDaXcjMZk2aaOUhydSC+vd5UYD3npVlog== AZX6tZLTBQJTsrbXGj1QaDf9ZnMigNI3ySiH7deoK0y0M9gkzC6+7tzie7IbavR9QkdLlB0NCnokPFYyxS/w3NsCT3qDk9o45f4LNVqBel1sVagG1rNFcjMsH17V0Phj5idh/acvIx8s22XDC44XXeo0/FT3ZC1HPBBwS+c4UAFI3OiYux61gzA4zg72iZoqs9Wt6ZpJdKn3QtrOCYGQmKrO6lKzgHLkHgB4Lk8Th24OqfeRWdau4j91z28gZ4teSlp9oARgXrrGjdFneXivTSTdDfMwKOmCr5eVfu5jUBCjeaL5DEU/mlpfUwvnQQVOq+rYimq4+Yp1eRXr69diRJ73Ne+7iL7CzqXDLoYuz+ZMdGE2hEU7L0nn1mnmPaGtbdtL92bj2dALNeshWJjjBw7Qem/GjJFEHKzsd1OfhMRuNlfpw6gFku3/+QcYac/FJYzxOIfEzKOQWL8GMLm96CZ0J2Par2yEM9oi4fDtRocjyAhX//JSgiB5HDS3kxDc4HNGSqOgmmXGi6vQR9+82fIlnRP7iO1xD6o61sKHBOMI22bMKouyx0XlKoNHPuPMQGmHfgbty66KFgqkLih5nLX3TzqNommle9ZwvcIvgZ2PWRmiLVtfW/Yc3584zp1CzF/VwqOXCalTkgEObuSXEODU4JpGVAViPCVyriVBu1kWmws/kpfaTUe+brI1m+hp+0tpjKVh+VoesXR+9iPMOHbX39Slmah6zcjU/UjQAN+rtF3SSBMrRd1Fc9VD2fevvD1YvPU9LUAo1BkS7e6ig0jcsX4TC+tdNR+wWiNPhYclIuo06Nd4Uk1f/WkdV1+cRDIobdVabiq6EXSbaJAzbCepCJcOn8dNr0301Os4SIi0EtEQO3wk/Sx7e2UVlmRofK8R3p8TupyO0skMhUzRmlFmsI7kFpKUfcmtshamt9JVN8qIQCowxPgRmy0T67swJgBFdRX5C34CXxNJvGw8Eld7TDoiuQa4FxN2T7ebjaAsBQGYxsBPaGQQFNFTptGNsC+2YDFKV82rftCSyoZiAg3wnz/qjcsB02TOIGtu2I9M/lspl+N4Cb8adludm+YnfK6yRIUFzx2Y7N3hh4WKwvfK8IJuckg+dKC3IOyW2L0dUTScUNB9nB/2jxYLXyiqyT+B+/83BVRBjitFw3F8web3i8iLmMFJswnbL3ONYzUbW7Gu67y+LSHo3yRIneVCJrj91ihvBUMvae7kgoQUVj4vYFMPsykJaFypb59OXe6CyE1bAOHcKnPLRC7tix+TeSgQhHMIqr7yPZXHEhX3FfduxsrrnN4QYIqJOYlirqTh0SdwpT7Y2W02iEdEDBNyJs7kKH4ArRUrSu8xFi/vaNMB896lRy+hMAxdtM131MRV+eY68rNhAb275a3cpsYONRJPym4CRegV48rr6yFHm1vhMoXo2eNBIoQHm4wUInxwhYw0yt/9WM2AU3UwIOdCTHwJQeLWgJu4PDA4O0Tmrm2bS4kFEM4ya3Y6KXhjVHyoxkHzi+PYVNzEKdobhxOP2+1n/5+/SU84+WqcsQxRtoXFloEr1GMSt9L1di4w9uuzYngM49P63CQBMQVi8hz4fPrkZzm/V3MwZ7aOIm9/JTr2IPeuJYE7LHh3VDB2uirFGfrooHncOKDQfAqgSrAF7ztSYgY3DDuBcBMQ3uS8rMqrH0Uwza1hF7p+7dfUZyzt7OF9zGBJmOWK2YLkCL+QiCxJMTG+til3AyHwRVmACdL6uNmBsd31Sr673YiFaPTZC2Q6wu48HYZQ0z5qJwOpBm5EHDuVDCwT/GqkTwQD5182f5jQKX5eWIa9gehuKWrTfOZc0DU93yfE1ZGXJq27RrAv4Lzfh59lRvasGL3PZ+rRLuALgKQ5vBgJXlgk1T/hHP9sB1BAG8OpwQoQOFlx4y8kZLzxQmtRBb9BaTzl43CYLhsXgPBsepRSL3RAyG123LgDRz56TU/b6v8Wuu/GzkC7Afr237HazCiRG/kpKqYAEEWKjHPVzKFnJpF1EiuaNxBncSMPc/zn5i80oS6aTT4yQ0yxyIxKBzRGipZewnn/u3qSLy2j/z6lW1vcWEk/hdjC1HQ9ya0JJDwUB5FF308S4oK1E4gTsu3uKkKiHTYQC7Hxp4XQogjujCzWH/HvW2FsA7Na1EAkIu0KpzikcNvZ5xEBbIlmGqdsC2/9ybuQMtoxxleKRT3ZBgpuQqcYDt/iQDUaS1LpWQXN+7pg1eRy/Dwzitfq1zMO1wCrFEnvGt9WCBKAvX4+s7A9YmDPhTfdpKTQRe2df4QjkvuAtMlM4DYV6JkKj0S7Z3sjPBCzqFF93HM3KvPocHokYa0s/SJVTVkRot+EE7emGoXU82i99jMpXCjsaujTrEGawFhvNX0QhsXoUP2qWAEquRGZ7eBEUhWwHSZhdKM4/HvMa8fYklhKZ4T47b+pCSkeny3ycajy/ClUDGiBLO+Q1IN0qyOWDVAPB/+EPKVct3Bx+WzV9f57fmXZ+wfXjBHYodIfX8tRbehZtLma2h+BNenjiiSWFERrUURV1l1osL+3kuEqwewc/8ys3fGhCWj0+C2hubOUgA0yCZH8KtuJVpYvR4vjnJ8C1g6QELsWgaKWXEw58kRXP/CFAVlhoklS40+HPq5SfjaDDcUOsc2qwzNp8+0ktk1ozFJx3k2fEirRoS7q2upVuN3sCLC4hduDPPMrmStgdUsLwzg1IK+aAWQgvVThmF449nVsDVZGcVeyoB81DuCI+BCKP+apJaPcjf0f083rxEbUNMnKv6GhWl/Mkyhhnafuqq80pMS6ehm27CZSk9Snh8HxI3QMH1cbIx/iHIGOA1kP6ulV4qdwKh/KXYnu/r6JkrSBWQp/21mnJ1yWLSgiJoM+zoWzBcV92Qffjj+2yLN3wdOSaxpPX2B2jU997m4MOr46ut8pHvE4bdTbVpxIhi9f2gzv36ElT5MDTXCiS5+svShCYVEoIipwEmJMs+l/HXwR7PtOvPytSwh+eSC1Z4bTdSPhdyiCMu37tAwlK0K6WbcUQfJE7cPMs+gKgAB6m4VenDV7SQwC+ARWxKACvtBU+QTGudUE7NUHsMugCBHjYB9bKtbakycEachQykDRDkkZ1PDL03ipM8d8Gb0Tm9dYwerBg7Nmw+jt69+VqCaFtpeOc+jp+e5bWEfg/HCHchsHGIQ72RKlHKLXmFwEJ7PmzOlbNGT0Usltq+9o9vHL89mfNK6n2xbneaYyKGFzu87j5+a7caSwJ7CTCFCnq6hctC5bi1tTqQM8tkBiv1lCTcy1kB1t7WX2RpkV99jfLPZPinTI4l+CtjJF3WYNSGgK+JJwzzflL1mobgdHVFGYyERBkx/FNq5aqGSkJA0dki2i3e0liQ8hsybtpe+uX9sybKCMy6MVEoMCzGJBV2g4N/OLCC+WsXPMbJ6SqyZlNKooRtJEuwZzJb2hlWx2298AxtNTcWA+u+gxibf6GZlGcujjf2+/uUrzXRw+hBQU0O/wD5pLvXwYIuxElo02gG1XQu1RLM1qrGg5ouEg7I5TmJzOIjIhhvuGEEoQjZMqA3byJCzj9a7LBJ5ddbmB8Xp9louyJbOuJghgt835r7PfPIqA+58UqNYWkFHYt+PjPc4+DPetjKi0SmvmtxVGjM5qsRCmiabBcY5nHQGNaGIsmg0VsaauBe78LjKLnJL2IR9wgNEEBadyuWHbNtd7wsf728+o6PQzEU8LJO5DK5QvxbX3QVyZTi17nkykvsU0nVqiYZ8Wyc65XgvDjOe18ECG9xeX6vd3pJ+15we9xNJmvRvWy/RCDSt0ul9hUJiHyXRjZGxkP0VD5bWM6MO3RcWmlHwaZRP/U+7sGY1nqhYp6iBfGgKeKlCIwQLeS/n815CVCxHkhW3Vf6dANBirojH96kvcpWLKq/DaVMlmPOkHy+14kMQtZTEqgHuo0Sm/nS5ddVVj1VcFkI+CqK45a5u6Mf/EB/TTOTWTY+iRbwD/grQ2uTRmUMs3G3Fww2xtu1N5jkqm62ooU8CSkr+zVuskX1qRlavV7Z+viDbL5XGiicKf32AYL/KZSLpthpD3Y5FIDuMMXn7xlXSnXDZxbWl9GF4DeMA0pgOlT0afRo+DyLLNv0ot51w8UCX200rPUeI/U/xPaBNOXFrAvlS6syp6nG3ldiJsJMFCwtxb7vO5tSKpQXUXJ2zOnYhQjO7Ofbyfprs65ZZRCvvDh/RaCcYm0MyFmdWlTgz7cd4dkDhv8SpvhnlPoWwoUi0d9s5gxqmPWUEtVbuEMCzewU1XTcJufSP17mmF6ciofj9t6tvY588Kc0cdGMshzcYnhM6vgHrFiZQoKxE781/SBXKeNG/o6NqQYq7st8t6mwaS5Hx+1eimMCT147dnHNmkjf4TKhLw603QX9gV94owtbc38eRB8UCmgs+37J7I92Ls8W7V9sV5em/JO4K7r3cuiLBfQxkljU+cLKcvpnM65/IAAhXo88Wka3pctkejNTyo3pNbwyikekCYQ+nViSzOjXskQWbcv1ZnzbSGzQJIA7dtgDvIdvQulAveK9VQe9zpPHHomSqBzQr8cwklgC2SJoK5VH0landsMyZR/Xq/jUObUEcvd9kp+MU/OvPz61NES5cqYxCgErEzbv4jxKY9/JohKfue3f+WuQ9pwpo9AbVLTWYFl9uYvg4xM66FWcdfpSh6phv9Q8xfxZjL+2+qC0j/lD9DKB1ztHavDgyRby14iIALJHGi1t3F5JrPSib2XJL38xqIDYCX4iHKUEwwtrb51jWIhc18pLu0QNa+2z9cTrf2zPRTS2LZFbBt9RUKXhaDHTIxEKtiYKIO0fwA2xFUPZaqNfQjyLHPPo1xaOSsepf8fqZplcbphNFCxbKJ7awgZmUl1uGZ4gVo6USSjEXBPTFjJnqV+AhF484petGC05kONnLKPIZ+EQWdRBnQ/yI1T2HY3uoj0QI6qzUFJPg9ujr3KoJvPdOw2Y26PV1J6n+0iEl0whnmD5YZkhetkShbGKILVrLwjkrssuBncUMiWNHPxq19gmGoUEyNs6jWvUSIbgUDa0lsBAOffLRZnVVp0/cVNT6ba7ZnGVWQGkW8Lh6kW/nscf7gKaWoV5RQsP4jAv3GhOO72U8Xvi3v7go21NmfARGq/gTe3XWgc+d3+A0UcHxyDGiUxnr84EHi97GzWA6qtpUWMoGFKNzna/IwAb0iJVBjgJV2vou3R0tvQsHrb6k3WIiUmpIgIkVbC82BzbU3MBKnnljmRpnoUBghkLpf6jjtmteepyezSpCrnzLU3JBJnoXnvoVpst3fA/ByxMUsVpWmS7dT1nQmfifXY056vi8IjeMG0oKVrZlKwZaV2EU0vIqkm/gSgko/h7PXKv/mXDz6hhcft2MWWhEZt5b+40dahinDBhzlRvKcCzMuolDlKMoO7bAjH434ZJQ0LYZX7VSvU5obosJQeZvSE98Gmh09ylYydK03FDSqnK0s3y3Dlo4UzdPhSzJUXk6qZwRaIyReUrHx+0yNgV6JG9gYfabT96dF0mGJdrA6Eitwziot1fEjsKziZ71T4+Kdpn385fjpK1ljQE1amAxYI8Rcs56hoqpmq2QWINQnDXUPpq+jjAf7XnCX/wP9iappXeA1cIN4pTqEOr9fjJsO38gRyxPcSl9ak85+HWyfKx66TloDW/OOHS+M8pX913u/rLKx9Bwe64QCXVY9wRV9aEQv2+RPe/i91lCU5ZqFZclpsq/qcHLlMAk3CNXR/mOHc1tlGT5u7Ds12yVy3RQTLd8kh9p5b4PCdnI87Mp4cPONhkZfZYTjNUd9e/mDxDwk20YjWytDRrxC+o/N8rqEte8+EAPVjB8SsUuN/tX3Wi9mEZloR+MRLfX9jO7903MDUGAL+JOPZRzsLvllNjInQ589OUZxtfXVSVmts++2lxZ8AWtxmjZcuxu3WfF1dZ5WxbInu611Fr1tU+sm0sFFiryN0m7XQgs= '; + + it('should returns assertion', function (done) { + var samlp = new Samlp({}); + samlp.extractAssertion(samlpResponse, function (err, assertion) { + if (err) { done(err); } + + var doc = new xmldom.DOMParser().parseFromString(assertion.toString()); + var attributes = doc.documentElement.getElementsByTagName('saml:Attribute'); + expect(attributes.length).to.equal(5); + expect(attributes[0].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'); + expect(attributes[0].firstChild.textContent).to.equal('12345678'); + expect(attributes[1].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'); + expect(attributes[1].firstChild.textContent).to.equal('jfoo@gmail.com'); + expect(attributes[2].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'); + expect(attributes[2].firstChild.textContent).to.equal('John Foo'); + expect(attributes[3].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'); + expect(attributes[3].firstChild.textContent).to.equal('John'); + expect(attributes[4].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'); + expect(attributes[4].firstChild.textContent).to.equal('Foo'); + done(); + }); + }); + + it('should throws error if EncryptedAssertion is present but options.encryptionKey was not specified', function (done) { + var samlp = new Samlp({}); + samlp.extractAssertion(samlpReponseWithEncryptedAssertion, function (err) { + expect(err.message).to.equal('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.'); + done(); + }); + }); + + it('should returns decrypted assertion', function (done) { + var samlp = new Samlp({ + decryptionKey: fs.readFileSync(__dirname + '/test-decryption.key') + }); + + samlp.extractAssertion(samlpReponseWithEncryptedAssertion, function (err, assertion) { + if (err) { done(err); } + + var doc = new xmldom.DOMParser().parseFromString(assertion.toString()); + var attributes = doc.documentElement.getElementsByTagName('Attribute'); + expect(attributes.length).to.equal(8); + expect(attributes[0].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'); + expect(attributes[0].firstChild.textContent).to.equal('peter.pan@fmi.ch'); + expect(attributes[1].getAttribute('Name')).to.equal('urn:oid:0.9.2342.19200300.100.1.3'); + expect(attributes[1].firstChild.textContent).to.equal('peter.pan@fmi.ch'); + expect(attributes[2].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.4'); + expect(attributes[2].firstChild.textContent).to.equal('fmi.ch'); + expect(attributes[3].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.5'); + expect(attributes[3].firstChild.textContent).to.equal('others'); + expect(attributes[4].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'); + expect(attributes[4].firstChild.textContent).to.equal('Pan'); + expect(attributes[5].getAttribute('Name')).to.equal('urn:oid:2.5.4.4'); + expect(attributes[5].firstChild.textContent).to.equal('Pan'); + expect(attributes[6].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'); + expect(attributes[6].firstChild.textContent).to.equal('Peter'); + expect(attributes[7].getAttribute('Name')).to.equal('urn:oid:2.5.4.42'); + expect(attributes[7].firstChild.textContent).to.equal('Peter'); + done(); + }); + }); + + }); + +}); + function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { request.get({ jar: request.jar(), diff --git a/test/test-decryption.key b/test/test-decryption.key new file mode 100644 index 0000000..349d6aa --- /dev/null +++ b/test/test-decryption.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEApv0aJ9/4q9A/Cj16g5tJbs01hkWtSjFGfvioxx19nCS7Abc7 +wQaLxf5Sw202DBCUxV9i32UoHvWIlKUo4GIE9IU/vM/2MW1Od8lxpG929g+ggLhj +zW27ouQ03d7X/fU2n5Hql3sXot8daq5/4H6HIckJdqx13omUah5v3j56amP2WbzA +c1veyv/zzf3goncVQF7E/NDmukot7t3l+bgQo7+LISlYdSV/t1/3IYPqbvU/Gj7y +vwOqrsDkSEZf/OTpK7BniP+zOLPKf9xe6WUaDc8Cxz1dctPjnkDUoQHHl5Masxzs +lDe4NSqp8N/i+PCU0FwiPGDZfd0zSwlWT/mvTQIDAQABAoIBAFd9qtOTjHVwsWbL +GUKU/N950v5byVRjBt2FqOBSOjqyH+zhNQSISnldK73KnZOqqFfVBzemh2PZH0tK +UWVm1dPLcL6bcxEohQFL4SfXYsu/Gkf21AuQ38uTp4NLu30Kmij2yaO+UX77SS1Y +6hUUFfcEntm3uDX1fXYwJkqaD4dnqX+qSUSUi79j37oyGrjQ43B7/Ov8RX+tpl6O +pHbcnQEfy/qNz4RvQxGiAKiOkR69dSASh4aKhtj/hCSYEZcCKd0HqkSTiGWS3I3S +IEIkgCzfuMZZX0GwY4XO5IvoOe4R4X8UhLg/N1nYjlFb+pr7IreXikOXfqGSU64P +IIBLyCECgYEA2WUfCRaaNmfX9BKKyKxdIVCJcBSi7qCEFYu4+GoX9+zSEpL/q34S +m7avdsr6lvhtPjnmN/EuuuenrPvQTksiW+s0+3h82CsFjnA9srG1/uWtzeLOMInr +l4KU0A4zFjRV31Rr7Hw8WiY/SUt1OGxDr/zJlXsZdGMy0WHQRuHPm0kCgYEAxKR8 +XkUZ/P40NdBiy+SwLfmp+Y4C2azTRNAqiMvGoKzfIhk7aWqVbtUmEpa0USJ1ZT0Q +4kfL0M25RwOatit+1ZOOEtextNId17wJ1nN05+1X//M/TndzuKbGGiD8WglhGJ66 +CbaJ70x3JRPFXslwktNFtuCu7ZHEiNdBrLdWj+UCgYAh2D9jr9QkYjhZtEVNBqCd +Hie3fk77bZwCqrUKX6IJpCH0aFRLg54sBd39VY570INZa7Quw2quCICvSqjcd5AK +1WxzNgfhs5jy2wCQAGDAJUvQwN2u6tn1xYubdIp5i35O/Zqrv4+5zTiPFaNTPG+x +R16u2fJVj1gLBvpg/qjOmQKBgQCmAfLYpt+kvHoZQD5XwU2W0qHTgzcWyxdkjZSK +/fVGqgqJv+FvQkK7WYiVwtKheETBXgdF8LS5JyQWNo3C4v9lkPctIxjr/UKiYSWw +/LGiJrXW52T3elKgfXLaliRUYnytCzslfgv+kIA5NfK27bpyyZeeJxqmhxvzJj5U +cEbMnQKBgQCg1APAfp3iJB8dVdLtASFuR90/FvutPx9PX+8BpbKzIi760C5um9O3 +sb/kyiulMJtRK7FNZt34DGUqCmsascB5ia37uDq3b2BowELrDuD4uP+nIRojPSgb +ZqumSC1ns30M4yx05umvS7EZQf17xM0f5FCofvHAhnSVQwpBIAK8Ew== +-----END RSA PRIVATE KEY----- \ No newline at end of file From baf14c8538d9fa48dafc6afe69c5bf8176f8719d Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:17:26 -0300 Subject: [PATCH 049/203] 0.8.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9ddfc15..83d425c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.3", + "version": "0.8.4", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 5607542a4e00b408966bb7dab27b052dccbaa606 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:22:03 -0300 Subject: [PATCH 050/203] minor --- test/samlp.tests.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/test/samlp.tests.js b/test/samlp.tests.js index c920dec..8885662 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -283,9 +283,7 @@ describe('samlp (unit tests)', function () { var attributes = doc.documentElement.getElementsByTagName('Attribute'); expect(attributes.length).to.equal(8); expect(attributes[0].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'); - expect(attributes[0].firstChild.textContent).to.equal('peter.pan@fmi.ch'); expect(attributes[1].getAttribute('Name')).to.equal('urn:oid:0.9.2342.19200300.100.1.3'); - expect(attributes[1].firstChild.textContent).to.equal('peter.pan@fmi.ch'); expect(attributes[2].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.4'); expect(attributes[2].firstChild.textContent).to.equal('fmi.ch'); expect(attributes[3].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.5'); From c9081bec19fc87c25fb98b71c7c39486885523d7 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:25:30 -0300 Subject: [PATCH 051/203] minor --- lib/passport-wsfed-saml2/samlp.js | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 4201cc4..ee1ddf4 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -60,6 +60,14 @@ Samlp.prototype = { var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; var token = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion')[0]; + var done = function (token) { + // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion + if (token && token.prefix && !token.getAttributeNS(saml2Namespace, token.prefix)) { + token.setAttribute('xmlns:' + token.prefix, token.lookupNamespaceURI(token.prefix)); + } + + callback(null, token); + }; if (!token) { // check for encrypted assertion @@ -75,19 +83,14 @@ Samlp.prototype = { return callback(new Error('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.')); } - xmlenc.decrypt(encryptedData.toString(), {key: this.options.decryptionKey}, function (err, decryptedToken) { + return xmlenc.decrypt(encryptedData.toString(), {key: this.options.decryptionKey}, function (err, decryptedToken) { if (err) { return callback(err); } - token = decryptedToken; + done(decryptedToken); }); } } - // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion - if (token && token.prefix && !token.getAttributeNS(saml2Namespace, token.prefix)) { - token.setAttribute('xmlns:' + token.prefix, token.lookupNamespaceURI(token.prefix)); - } - - callback(null, token); + done(token); }, validateSamlResponse: function (samlResponse, callback) { From af3f4ed2dbdd772f22a042270db060ccf4ee5a75 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:30:35 -0300 Subject: [PATCH 052/203] minor fix --- lib/passport-wsfed-saml2/samlp.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index ee1ddf4..1021476 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -59,16 +59,16 @@ Samlp.prototype = { } var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; - var token = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion')[0]; - var done = function (token) { + var done = function (assertion) { // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion - if (token && token.prefix && !token.getAttributeNS(saml2Namespace, token.prefix)) { - token.setAttribute('xmlns:' + token.prefix, token.lookupNamespaceURI(token.prefix)); + if (assertion && assertion.prefix && !assertion.getAttributeNS(saml2Namespace, assertion.prefix)) { + assertion.setAttribute('xmlns:' + assertion.prefix, assertion.lookupNamespaceURI(assertion.prefix)); } - - callback(null, token); + + callback(null, assertion); }; + var token = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion')[0]; if (!token) { // check for encrypted assertion var encryptedToken = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'EncryptedAssertion')[0]; From bff9bbfc79dfd20934aa0a389d3cb4c4b6d188fe Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:30:42 -0300 Subject: [PATCH 053/203] 0.8.5 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 83d425c..b4b5fdc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.4", + "version": "0.8.5", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 64ccbd31edb7459757f6a03627f18e1d6757b607 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:34:39 -0300 Subject: [PATCH 054/203] code improvements --- lib/passport-wsfed-saml2/samlp.js | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 1021476..5a739ef 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -59,7 +59,9 @@ Samlp.prototype = { } var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; - var done = function (assertion) { + var done = function (err, assertion) { + if (err) { return callback(err); } + // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion if (assertion && assertion.prefix && !assertion.getAttributeNS(saml2Namespace, assertion.prefix)) { assertion.setAttribute('xmlns:' + assertion.prefix, assertion.lookupNamespaceURI(assertion.prefix)); @@ -76,21 +78,18 @@ Samlp.prototype = { var encryptedData = encryptedToken.getElementsByTagNameNS('http://www.w3.org/2001/04/xmlenc#', 'EncryptedData')[0]; if (!encryptedData) { - return callback(new Error('EncryptedData not found.')); + return done(new Error('EncryptedData not found.')); } if (!this.options.decryptionKey) { - return callback(new Error('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.')); + return done(new Error('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.')); } - return xmlenc.decrypt(encryptedData.toString(), {key: this.options.decryptionKey}, function (err, decryptedToken) { - if (err) { return callback(err); } - done(decryptedToken); - }); + return xmlenc.decrypt(encryptedData.toString(), {key: this.options.decryptionKey}, done); } } - done(token); + done(null, token); }, validateSamlResponse: function (samlResponse, callback) { From 85fce315364d1627f8c9d254141ffb5bd35d950e Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 13:34:48 -0300 Subject: [PATCH 055/203] 0.8.6 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b4b5fdc..66a9543 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.5", + "version": "0.8.6", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 769583aab7eda878e1528a1df1b774e2e76beaea Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 20:04:12 -0300 Subject: [PATCH 056/203] ensure assertion xmldom object --- lib/passport-wsfed-saml2/samlp.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 5a739ef..b6cf0cc 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -62,6 +62,10 @@ Samlp.prototype = { var done = function (err, assertion) { if (err) { return callback(err); } + if (typeof assertion === 'string') { + assertion = new xmldom.DOMParser().parseFromString(assertion); + } + // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion if (assertion && assertion.prefix && !assertion.getAttributeNS(saml2Namespace, assertion.prefix)) { assertion.setAttribute('xmlns:' + assertion.prefix, assertion.lookupNamespaceURI(assertion.prefix)); From c931e0231315a554f5f66c38321dddf9ce307ca1 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 25 Feb 2014 20:05:05 -0300 Subject: [PATCH 057/203] 0.8.7 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 66a9543..ba853db 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.6", + "version": "0.8.7", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 4019a8eea8cfae53604473f3e6489be37ccf4fab Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 5 Mar 2014 15:22:33 -0300 Subject: [PATCH 058/203] xml-encryption: ~0.3.5 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index ba853db..0db2b29 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "xpath": "0.0.5", "cryptiles": "~0.2.2", "jsonwebtoken": "~0.1.0", - "xml-encryption": "~0.3.4" + "xml-encryption": "~0.3.5" }, "devDependencies": { "chai": "~1.5.0", From a314ac37575f61684ac03c3fdcb7e60fb028b4d5 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 5 Mar 2014 15:22:40 -0300 Subject: [PATCH 059/203] 0.8.8 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 0db2b29..cd29365 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.7", + "version": "0.8.8", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 9228b22e5d456a3fc8b0a9e1faf04a7a45aada25 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 9 Mar 2014 23:53:00 -0300 Subject: [PATCH 060/203] latest xmlenc with autopadding option --- lib/passport-wsfed-saml2/samlp.js | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index b6cf0cc..2d4fb90 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -89,7 +89,7 @@ Samlp.prototype = { return done(new Error('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.')); } - return xmlenc.decrypt(encryptedData.toString(), {key: this.options.decryptionKey}, done); + return xmlenc.decrypt(encryptedData.toString(), { key: this.options.decryptionKey, autopadding: this.options.autopadding }, done); } } diff --git a/package.json b/package.json index cd29365..87f8d44 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "xpath": "0.0.5", "cryptiles": "~0.2.2", "jsonwebtoken": "~0.1.0", - "xml-encryption": "~0.3.5" + "xml-encryption": "~0.4.0" }, "devDependencies": { "chai": "~1.5.0", From b17ff64cbc072d2b65fceccca322f5b7fef8e48e Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 9 Mar 2014 23:53:14 -0300 Subject: [PATCH 061/203] 0.8.9 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 87f8d44..113b8f9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.8", + "version": "0.8.9", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 9557eb4f242bca3162b2f6b3eb8637a191c7d662 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sat, 29 Mar 2014 10:11:30 -0300 Subject: [PATCH 062/203] update to xml-encryption 0.6.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 113b8f9..867f4ff 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "xpath": "0.0.5", "cryptiles": "~0.2.2", "jsonwebtoken": "~0.1.0", - "xml-encryption": "~0.4.0" + "xml-encryption": "~0.6.0" }, "devDependencies": { "chai": "~1.5.0", From ca41ae4fbedf6172b8392fa5411bb7d4912e153e Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sat, 29 Mar 2014 10:11:46 -0300 Subject: [PATCH 063/203] 0.9.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 867f4ff..565ad80 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.8.9", + "version": "0.9.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From bee0d54ff0ba3a0300709edceda7bd6bf51c2693 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Wed, 9 Apr 2014 18:29:06 -0300 Subject: [PATCH 064/203] move to our own xmldom that support xml entities encoded using ª» --- package.json | 6 +++--- test/interop.tests.js | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 565ad80..7e557f5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.9.0", + "version": "0.10.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" @@ -22,7 +22,7 @@ "passport": "0.1.x", "xml2js": "0.1.x", "xml-crypto": "~0.0.17", - "xmldom": "~0.1.15", + "xmldom": "~0.1.19", "xtend": "~2.0.3", "ejs": "~0.8.3", "xpath": "0.0.5", @@ -35,7 +35,7 @@ "express": "~3.1.0", "mocha": "~1.8.1", "request": "~2.14.0", - "xmldom": "~0.1.13", + "xmldom": "https://github.com/auth0/xmldom/tarball/master", "cheerio": "~0.10.7", "xpath": "0.0.5", "xtend": "~2.0.3", diff --git a/test/interop.tests.js b/test/interop.tests.js index 3ebbb02..29eee6a 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -166,6 +166,20 @@ describe('interop', function () { }); + it('should validate an assertion with umlats xmldom', function (done) { + var signedAssertion = new Parser().parseFromString('https://aai-logon.ethz.ch/idp/shibbolethjVMwKZ5O3hXfOf6tkVan2hnPW2w=nq5nJangoli5J6uBF/sEeYyKL7+xepbsDmjT6mpggLmba6yR+lQaZmAGnti8nhZUPyXwZfZS3d9oH4upbRg56jdVVcPaZUhYOPW2T2etm7lxxaDlHDJo/E40KnBtGMn6Oxz23hXUrc6p6K4FFLCQwmsE3ZZlP/u8DcqKNl5X/D5udcCV75mjxnVKWuXu34Xw4uQEQBb+6UfGjDN1/91M6U3ZZ0iOSRsBC7+SYLVMbDZqGveioKjZMPBuHmoBwQxsCixu1var3LNyCFVRo0LV9qA5DhA5lyH209+kFsN9vqzHKkiOF+Wua+Ngh2oR/48CWfTOjDuvRpje1bICIwwCQg==MIIFjzCCBHegAwIBAgIUZ+QtvaEucMtOcruHlzQrEDH92FMwDQYJKoZIhvcNAQEFBQAwazELMAkG\nA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAdBgNVBAsTFnd3dy5xdW92YWRp\nc2dsb2JhbC5jb20xIDAeBgNVBAMTF1F1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBMB4XDTEzMDQxNzA4\nMDYwNFoXDTE1MDQxNzA4MDYwNFowYzELMAkGA1UEBhMCQ0gxEDAOBgNVBAgTB1p1ZXJpY2gxEDAO\nBgNVBAcTB1p1ZXJpY2gxFDASBgNVBAoTC0VUSCBadWVyaWNoMRowGAYDVQQDExFhYWktbG9nb24u\nZXRoei5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOJWLI4vWx5HnqUvkBDm5Egp\nUg8yOlL3HbS0Y62/k77R2W9wxNczcR79wUBl2cNDCF/LxzdY1ml2u2skbZy4tqtmcvHVrwM5RVDb\n3jpjUhzBlD5rkpxgut2zFmNsahXzceD9dzsTvq7MUq6YgW6iRY3wNbes7ZgRtdkCz+vbiB52iTES\nZ2lo6fBn69eiqywUhQ5t/K4jGqpSUf1DITz//lMWRveagVyUq342JONxo93nt6x6ewGg+Qo8yCuC\nj4VehpncHYV0oNI2sSncKPm23Z4TNxPDalSaq8R5nKhueG+FHX7Ks8hWYSf42m2rrZLTumv2Ry8H\nFrPFkI7kuSFwVRECAwEAAaOCAjEwggItMHQGCCsGAQUFBwEBBGgwZjAqBggrBgEFBQcwAYYeaHR0\ncDovL29jc3AucXVvdmFkaXNnbG9iYWwuY29tMDgGCCsGAQUFBzAChixodHRwOi8vdHJ1c3QucXVv\ndmFkaXNnbG9iYWwuY29tL3F2c3NsaWNhLmNydDCBtQYDVR0RBIGtMIGqghFhYWktbG9nb24uZXRo\nei5jaIIPdmNpcGhlci5ldGh6LmNogg92Y2Flc2FyLmV0aHouY2iCD3ZjdXJ0ZXIuZXRoei5jaIIP\ndmNvcHBlci5ldGh6LmNogg92Y2Vuc29yLmV0aHouY2iCEmxkYXBzLWluZm8uZXRoei5jaIIPbGlu\ndGVzdC5ldGh6LmNogRt2bGFkaXNsYXYubmVzcG9yQGlkLmV0aHouY2gwUQYDVR0gBEowSDBGBgwr\nBgEEAb5YAAJkAQEwNjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5jb20v\ncmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMB8GA1UdIwQYMBaAFDJNoU/q8K6Ztu6bByyECBFQi+J+MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6\nLy9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2c3NsaWNhLmNybDAdBgNVHQ4EFgQUUrfY5AJdnN5W\n9TTyrVObbQEoH/cwDQYJKoZIhvcNAQEFBQADggEBAJHQIjLbalw9LF9wIjhhOsEsaf/Bd8dSKcb2\nICLC16TyetuTTJfqHqHr3QiAcrSNKOxqoFBX51t7oNyd3n1BGxJeYmpoyKHKmViUF9mJWBKxSvfW\njmYA7M/LptNX+aUz0fPntCokjH5pPAk3n5YYf2gTFOmRbZDdvNxQ0+o5EkRKkxLDAYM7HlJshWfK\nyY8ZKiPSx28ebXORGzW/VC5VunURFPmhvy5hUFo2qFhGhkQZD1Tg5uN+vd7KywgXLiQKWFDweOxY\nkFuTatM9peWNaapAuaYL8D6q/pn6q76cDKiMjTLp1siQsVVzFAZNjywOve5tdqB/Qo7zwX7TggF1\nmrQ=_e132eb870c4a912c56e1bafeb5257b35urn:auth0:fmi-testurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransportmemberstaffstudentGnüggeRobertethz.ch187624@ethz.chuniversity37J7PjSu8hkThPDMZOfZLtca0Ag=robert.gnuegge@bsse.ethz.ch'); + + var saml_passport = new SamlPassport({thumbprint: '42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031', + realm: 'urn:auth0:fmi-test', + checkExpiration: false}); // dont check expiration since we are harcoding the token + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + if (err) return done(err); + assert.ok(profile); + done(); + }); + + }); + // it('should validate a saml response from datapower', function (done) { // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; // //var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage'; From dc7885c5cd9ea6872088047a026cff71722020be Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 14 Apr 2014 10:42:52 -0300 Subject: [PATCH 065/203] authorizationParams: return all options --- lib/passport-wsfed-saml2/strategy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 93a4ca4..3cea29e 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -155,7 +155,7 @@ Strategy.prototype.authenticate = function (req, opts) { }; Strategy.prototype.authorizationParams = function(options) { - return {}; + return options; }; From b9364b7f4bdee3b08402819f6e1d49c635fe1230 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 14 Apr 2014 10:43:08 -0300 Subject: [PATCH 066/203] 0.10.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 7e557f5..af2d9fc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.10.0", + "version": "0.10.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From dd20579511aad5c765604e4fa2fa4925ac527092 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Wed, 16 Apr 2014 02:46:19 -0300 Subject: [PATCH 067/203] move to xml-encryption 0.7.* which handles padding and utf8 better --- lib/passport-wsfed-saml2/saml.js | 2 +- lib/passport-wsfed-saml2/samlp.js | 1 - package.json | 2 +- test/fixture/samlp-server.js | 21 +++++++++++++++++++++ test/samlp.tests.js | 31 +++++++++++++++++++++++++++++++ 5 files changed, 54 insertions(+), 3 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 0eef307..5ffbdcc 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -190,7 +190,7 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { if (self.options.extractSAMLAssertion){ samlAssertion = self.options.extractSAMLAssertion(samlAssertion); } - + if (typeof samlAssertion === 'string') samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion).documentElement; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 2d4fb90..fa700a5 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -104,7 +104,6 @@ Samlp.prototype = { } self.extractAssertion(samlResponse, function (err, assertion) { - if (err) { return callback(err); } if (!assertion) { return callback(new Error('saml response does not contain an Assertion element')); diff --git a/package.json b/package.json index af2d9fc..bd50a58 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "xpath": "0.0.5", "cryptiles": "~0.2.2", "jsonwebtoken": "~0.1.0", - "xml-encryption": "~0.6.0" + "xml-encryption": "~0.7.2" }, "devDependencies": { "chai": "~1.5.0", diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 612d742..bf86680 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -107,6 +107,20 @@ passport.use('samlp-okta', new Strategy( }) ); +passport.use('samlp-with-utf8', new Strategy( + { + path: '/callback', + thumbprint: '42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031', + decryptionKey: fs.readFileSync(path.join(__dirname, '../test-decryption.key')), + checkExpiration: false, // we are using a precomputed assertion generated from a sample idp feide + checkAudience: false + }, + function(profile, done) { + return done(null, profile); + }) +); + + var fakeUser = { id: '12345678', displayName: 'John Foo', @@ -218,6 +232,13 @@ module.exports.start = function(options, callback){ } ); + app.post('/callback/samlp-with-utf8', + passport.authenticate('samlp-with-utf8', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + var server = http.createServer(app).listen(5051, callback); module.exports.close = server.close.bind(server); }; diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 8885662..0bc1ade 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -141,6 +141,37 @@ describe('samlp (functional tests)', function () { }); }); + describe('SAMLResponse with utf8 chars', function () { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-with-utf8', + form: { SAMLResponse: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9mbWktdGVzdC5hdXRoMC5jb20vbG9naW4vY2FsbGJhY2siIElEPSJfNzY4NjU5OGUzNDk4YjcxOGM3MjcyNmZlMjVhZDU3Y2MiIEluUmVzcG9uc2VUbz0iXzM3ZjAyNjJkYWZlNmJhZWFmYThiIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDQtMTFUMTE6MzU6MjQuMDYwWiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9hYWktbG9nb24uZXRoei5jaC9pZHAvc2hpYmJvbGV0aDwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiBJZD0iX2M4ZjVjZDJlMDBjZTIzOTBhMmQyN2UzNGNmNDBlYjZhIiBUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNFbGVtZW50Ij48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIi8+PGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjx4ZW5jOkVuY3J5cHRlZEtleSBJZD0iXzBmNzM0OTg1MWQyNjQ0OTY1YTQ3YzZmNTY5NzUwOTUxIiB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNyc2Etb2FlcC1tZ2YxcCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIi8+PC94ZW5jOkVuY3J5cHRpb25NZXRob2Q+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRE96Q0NBaU9nQXdJQkFnSUpBUFBvSHJFcGI3b3VNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CMHhHekFaQmdOVkJBTVRFbVp0YVMxMApaWE4wTG1GMWRHZ3dMbU52YlRBZUZ3MHhNekExTURZeU16QXpNVGRhRncweU56QXhNVE15TXpBek1UZGFNQjB4R3pBWkJnTlZCQU1UCkVtWnRhUzEwWlhOMExtRjFkR2d3TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtiOUdpZmYKK0t2UVB3bzllb09iU1c3Tk5ZWkZyVW94Um43NHFNY2RmWndrdXdHM084RUdpOFgrVXNOdE5nd1FsTVZmWXQ5bEtCNzFpSlNsS09CaQpCUFNGUDd6UDlqRnRUbmZKY2FSdmR2WVBvSUM0WTgxdHU2TGtOTjNlMS8zMU5wK1I2cGQ3RjZMZkhXcXVmK0IraHlISkNYYXNkZDZKCmxHb2ViOTQrZW1wajlsbTh3SE5iM3NyLzg4Mzk0S0ozRlVCZXhQelE1cnBLTGU3ZDVmbTRFS08vaXlFcFdIVWxmN2RmOXlHRDZtNzEKUHhvKzhyOERxcTdBNUVoR1gvems2U3V3WjRqL3N6aXp5bi9jWHVsbEdnM1BBc2M5WFhMVDQ1NUExS0VCeDVlVEdyTWM3SlEzdURVcQpxZkRmNHZqd2xOQmNJanhnMlgzZE0wc0pWay81cjAwQ0F3RUFBYU4rTUh3d0hRWURWUjBPQkJZRUZCczVscGZ2ZXlPU29wbU5WZWVoClhQK1BHdGszTUUwR0ExVWRJd1JHTUVTQUZCczVscGZ2ZXlPU29wbU5WZWVoWFArUEd0azNvU0drSHpBZE1Sc3dHUVlEVlFRREV4Sm0KYldrdGRHVnpkQzVoZFhSb01DNWpiMjJDQ1FEejZCNnhLVys2TGpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQlFVQQpBNElCQVFBMlprM1NtU0dUT2gvNnJhemVtL0ZpOEd6RW9wY0tkSUUxdWVDaFRzQXpoNi9taW01cTVsSDBQVzFiODVzUTMvYzMxU1lVClN4VlpCODRLMk1QNitod0MwV1p4a3E4eTBpTUVFQXhXeUMzWjNpOXBTbEdkdzdzdi9OV0p2NFlQam8yc1NOSHVaODBPMTFhM2NYb3UKWXhMTzhEQlJNcTlWVHM3UmI3cUtGQldsNUl4K2NaeFZnbHJ4SXY2VzA4T3JybXFQZW9EanVpSmlCajI4Y3NqaGVoWUVsS1ljblU0TApSZElqQmxaRm4xQW9USlJCRkF5akw4QnZTTUlNUmt6RXJvL0dwM0l6ajYwM1JCVEdPa3ZuaWFsS0hjd0xuVkZGRTB4ZVpaVXE3S3cwCkx2TzBYOHVTM0RYN2RUYzJvcXpYT1R4NDIvT2o1cTl4VXVhaXVYME1SWlQwPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkNpcGhlclZhbHVlPlBtN2dVRDI5d1AwMTdLUnZKTmdmVzUxRkQ0eHlUTGJ5RDdXbElNRVZUR2xzWnc5K3ZNbUdzL2VkdXJoT2ZVZEV2SGZBV04vdUYzYkxCOTl1Q1pFN0dHLzJ0aDVBS2pLejFaN1NvZWZuUU54dnFvbXUyNUNmWTEwUzFpbitNMU13N3ZrcTZlS0c4bndEQjBDc3JsOXJ6ZUMyekNQRFc1TG81N0x2NDNNbUVpM1dYZkVhbkQwZDJZT2NRVFppaHIzUlpnajl0SDJUQmVKZjhNN28yY1BrOXFBWk40aU56dk1oWE5OV0RDR256SGxIdXNxVk9RNWM4d2l5MmwzdWlUZlk3aEIvTVhpUDVmemRPYitEbWw4NlJrT2MyUVd3RHUwQ0t1ZHBveVRxQW90OUhFZ1JoL25tVXVSQkVKQ3NtWEdyN3FOM3ZSWW5HTXRmdEswZG9VYzN6QT09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT4xY1JHdFhpWFZMYXRhSHFTMWVLM3JtTjlQcnJyZ0laR25XM0xPT25aektuU2w2dWFKWnRENXFyQkRURE5zaXg2ek15cHJPOU5KQVlQYlJEQ21CbWNaVStMSm5aSVdtT3IrQ29SdWJBUGdIT2Q3Q0VoQVB6RGVJZFh0S0V3R29hNHNKbXJRMjlCR3VSejBYS3ljTlJhU2lJa0toRm40dTZCRzV0a2dzS0RRT3Q3dmd0RzhuV21pczZqM0lYSVdrWGpXT2tKWjBHbktXajJqd3EwL3ArdEo1OXM1R3lTQi9uVy9nQW1PcjlLelhJMllQWm5CTk1xSUl6ZTZPNDBaaDRtaXpmUmdTSzM4dE5XQ3NCRlB6Q1krZjJWZVlsMzVORythdUhEZU9BRGtkQkR4d2xqRTJCV0Q2MXBKaFhuRzBTRVBIcnV1b1k3YldjWGpoNDVYLzhiM1hNcHF4ZDFjRFJPZkZMdFRMb0syVjVqcnhiRGRvcVh2TFR2NnZ5NDZGVkZYRVNEV0xmSGFxTjBOTlNsY2hORXJmcFV3SDRNUXNVOGU1UW1yeEw1QUVDVldmQytEYnNOZTVjZFhZcS8wVTBkcWJPV1ZlQkdVL3h0KzJEWmVhSFBTZVpweGhCb3diZ0FKejRlTlpQdnhIWVRGZHducXZhemRneWo4VUdHbEQvZjFoSXFHWHFja3BNbTJ2OEplZUd1akV6SDNnMXNOcEluWG40eVBaTUFLSEtOaVhIZTF3aWk1V2V5Ty9tMHlCUGZreGRrMll1S3NPMy9KWDlOcXltNXV6WUIzbmZZN1JkR21pdXBDV2tpb05aL1hidG5Bb1dDSENyc210am1kdm5rM2NBTVAvdmNSWmluQm9pSjgxdnBLdTNtSm5FdGV6cEVqaUMxY1dnTUxoLzZRK29MbXZOL1dyNVZWZmxjSFJYMWNhTEQrWURncnkybTVCbHBTRjhVKy9KYXR6NjR3Y0V2aXlqVFgwelN6VlRtakptZG44a3FvSEN0V3RvVCtWQUt0MG9CcGRMdHg5eDUzUTVTVG1rUG5xOXdnc3FWRXBGZGFHK25qM1RiZkY5K1FBMHFCVk1BVmxpZmNyb01YTzZRZlpFZUwwNWpFZWFSUGZpK0t5K2tVNUUvMFduTWFVUU1ZZE1kUFh5NW1XenZuZHMzVE5DczRjMWhYc1c2SXFoeTRnQjFPdEFVdjhIeEtPWVhrT0ZMMVN4TEs4Ty80UUUwVEFGd0hvZ0hEY3NVTEIvNDJHZ3IxZjZJVWcyTGNjOTMvN3JOUkhOV21OK21ienBJdUUvT0lRTEM5RW5yM1ErSkdURFJKajJsR0Fidzk4MnlsUzYyS2ZETDlKMWEzdzdtb0ZKM3ZubTdTUmZ4K25CREw2YzFBSDJTS0s1SmsrT3VDOWVSWllwMDdXMy9TQnJOWFVUUzhpbnpRaERLSWwvOVJ0b1Bzbyt3K3RnaCtIY2svNERaQnV0cmtpY3BGejBWZm5pK0VGZXBEZVJLT1ZwY1JNclVFeHdvWFZ3SitBUldMRnBIdDFJQjh4TmJTeFU4WUpzeDlMdWxGeXhUQzVOYWFqU0N4WFhkRENFajE5U2o2MFRYZGcwOHNRY0NYdGxUS1dLVDdQQXl1cGo5dFZtdVg2NkEweGQwdWt3MmhjbSs1bnB4REtEbUhKdWFMSUlzSDB4WDFyQVE0a3VqVHg1aGNGZnEyMDZIK2JBUE1xTEYyTjFDSnlkYUJMd2xoejRwa0tPczhMRXVzTGtySGVUK3hFeHBETnk4MzBZQ3M1SUpnTkY2R3dFcFdiaklGbVNIMlpzSnBycnB4b3h6eGtuZ29DSzYvSlRkYUVoM0diWkVmaFNlSW5kTGFnUktFcjZ5azNFMS9sNzlxTmxCbzlpUndTRE5UVXdkMmVHOENhZVpyYjJQZEIweDk2L3Z4L2lkUXNwQjNCQjkrbzBRaFhndVp5c0pDMmtIdmZUSndZZjRWVDBoL01TQnk1dGVWYU1kUWZxUmpCVm9pbGZncnFaVjlPTHZOOUw3TzUxVGFqVE1EcmdleGxIV3VNNVhMczZUK3pNdXM3WisrNys2aGNEUGg4UXpxY2ljVyt6TGpOTHN3OXhZS09CNlJ4T1NHTy9CekkxcExhbmRHSnJ5bXVsWlBicUJyZEQ1MXFWNUxwWjVBcUU2MHg5RGc0NDNJRkpPeWIxUzN3VCsyb3BBVEFDVDZQV3o0blJsNHZJc2J1M1RlVGdGTXZiUHdKdmV0U1d2ZjNwckdRNDlqVHpMaXhlSUlRTmUyOXdYamZROE1TKzJSUGppMnlpQVFCcllITWo2UzBiWFloYUVCRmFGN1kxNTRxMVJORk5rTmpmN2tVQjBTbVlnaVU4em83QjdLNzRwTm1SbWxIcitMcGtFcHVyVEU5Lzgvd1hhRWFzSitIb0UyNVlTYnFZRitxKzQ1L1NFcEJQdWpCa2ZQdkQwR0pqVCtnbGxiNzFWQU9nMTk2dGN2RFU4TUduSUN6SGM0ajJRaWVhZkF2YzZMNElvMEJRQXhnNDZXTTlIWVJyOGhZeURQNzFCMC95Sm5CV1R5QzUvWFNsRmsrQWFQeXpxdFZpMk5GeFh3bnRldzA1R1NjU2F2NDdKSEFRVFZaRlJsd2k4RkNtaUpKZWVQVWRrb2FlZExOT21oUXFMN0hmZ000RDRmOE9MaHhxdng3Ym5QQkRPMmlBcndYbHFrdy9Lc3l4dlQvZVd3NUZMOW41KzVDTWxiYnJCTEpNM2o2WkVxM3RJOWZuYk1vNmFHUERRb2RURUMwaEY2ZHdJYm02VG5tdFlLcDFZSTR5UWlzMUFURmIxbTY4R0htS0tidXNiMGE4N3BKbzRYbDlQdVdLSFRhMXBWdDBVTWw0RWJjNm14aXdyRytIZzNFdDRXUk5qaTJHQXhWMmYyekFaN1ZsNXpGRk02dmdxbFlqQ3NWZWNLekM1emp6T2Y4aDd0UThKdTUxMWJpRjlhN090cFhCWHZqVWdvcVRFV25SM1pyRjI4MkNNV3VvUXJHbjlwNFR2eldORU1iWjd2cGJiQ2tYS0t3cFhhWXNzL3pwcHg2d3JXWTRNOUdoVE45RVhXTTRXUGVpbmZ1MStUQUdDK3dISFVTd2h2TE9Ob0RsaHhqcU94MVVweVZubmxTeTV2QlBIbWRrYXgzT3o4MWhIY3hHVEtvb3N1U0hRYU9hL2xRelY4Sm9sM2RyZURobjlBWkM1bjRsa3hYV0tUOEhuQUNMS3VUTE4rMXpQUVY0UWorSDcxNUloNkZzNkE3bGY0dVloY2pWcWNVdWZrTHFvcjd0NjdOck5FekIyNSs2UVNRSlhMbTNUU2M2UTlCUDNjNUhWOGZzVHJEL043RUdJUkJGL3BTNldSMzY2UjV6WkJiWjZXbFNOek1TcnlwZnlQVDk5ODhJeGtLRFZqYjE1MkZ3Njg4OTZvUS8rckdxY3BxYlB5bmsvYkpVbThWWU1vbzA3U0J4Y2hURncybmtRc1VLT0J2MkdJT01WQ0d0YUVmWDh5YVBlcGZ4UGFxSm5tVjJTQ2U3Q09vVWQ1b3g2SzgrL21uWUZaTXJ6N3RYQ1VIU1MybDdyU3BYTStXZ013VnIwalh5OXdYSkxKK3NLM0dXSDZYVDAzNHZrMk1KZHdmcU9zQnBwTkFjeStNekd5NDlFVlFULytQb2FlT245MzM3aHBibjFnVmNMd2ovWGMzRll4REtkakY1OGNUL2d0dG52aWRhaktUcGNnQ1l4R1F2KzNRUkhidWFEWnRyRXY0L3phNnpiRGZHcEtzbklqeVVhc21HeHpiQ1Q3ZjFMQU1aYlJwaklnYi9ScVRnVnhEQXRhUGNSVU9YTEE3N29ZZm83Y2h2STd5RlJGbk9lMDNURDhHRFFLaGI5VUlzN1JmRXNYS0xVOVZwZVp3NnZ4Q1lNZDhScTlDbG5kOG1jR0FsNDgrOTRVeUFWZUdUelYzMWVCam44QjQ1R0wzWDkxL2JULzExaHZNS05YMjFQbUZ5eVR5YzZNMXhVY3IzN282YWY0SEFzVW5YZ1o4U1VLUXdKUE1WQzkrRW52RHByUjYvWS81S1l5MFVnb1IrR01IRTNaMXl0UUdZWEZZRlVaVW1NVjJVZ3oySW5pVTRhWExYNFlxQjhMRVgvRjVENnUzcVFCekhkSXhPelNTdlRiRXN6dVhuOFd4NStMNW1MVGM1U1JuNmxQZTRIUVZ1U0lLYzg3Ym5UTDFzNHFadjF0KzlaTUxLSVRHc1J4bjM1YXFZdVBMdDVOM053MlBZUkg4ZHFyZkwvWlA5WW5CWXo2aEFlWXZQVG5pYWF2ZVYzU0dNeW1VRVM5YlVtbHRjOUo0NnR3MkNwYkkxT0NDRDJ3dW1ucTlvbkZEam1oQUticENkaVNlSXFyNll4Y09QbzFXTnNVMmR1Z1Z3L1dYbTl5RUJ4S0o1UHJjNHJhdjhPT2Ezc0g0Z0cyYm9KeEMrMTluenZDbnVmTTRiRVQ3WVY5SVdmaDJLOGJacytRYTZPYjBTOXZnUWw1YWhGekpCUGhNUW91NjhKLzNkQm5ScUlPUENUMUhxcDN2aktlR3B4bGQxRDl3azZNYUREakl4aTJvWDQ3azZYREt6UkprUENabnJFTDZSblRodFJ0dzhiRUJCblZvdTdHWlZMZWtmRmw1MGlHTldBTmJpYTFGaDhad0c3SmxGbnhQZkhOdHYwM1QrT0dmOGhnMDV4YVlWQjRtZURKeC8rWmJBQzBKYUpYeUpNMnJmeTVuY3UxTk9BNWdEV1E3Vkp0MlFyQXh2cmQ5TVV4eHRnbHRtek1Nc1FZbDd3QVByMk5QRW1Nck1EeXJCcVRNY0JWbVg2N05sNGhBck44WUQySE9WZW5pZkkzcGFZSXMySTg3eWJ4SVNsMlEvbDFySXdScHFZSFVzRGNqVjBmUzd5c2VVZUdnK2hEMDdZR1RWaVkvT0JHeEswMzJneUtUcFdVMHFibW8rWTYvWkdVdnBqbldCRWJ5QkhkZ0xia0JUL29CNVE0azdLMi9TQXd6N29DZStJWG9OYkxYYkFNSGZIS296WFNxUysxQkN1TUUxSnNsWGpSWFk1WWJnRms2MU8zUndLRFVMaExUNUdmSlVFUVNoU2h2S05naHYzOUlBY1o2YWlFWlp3WVBUK1BudnNpc1hKanFiM2lhaU1yMCs5aEIvR3hrOHN5amRuVU1mL3FJOEpRU0k5UVhIZ0t6UU5pY0dSZFdjNUpXUkZreUIxMzh5dUF6NHQ4eHI1SzFhNStBUHJ6M1JJem1KWExpSlBySkhhcnlTL1ZNclBKaHR4WFpoYVlsYlJPRFptaUJjci9LVGlaVk02OWNlK3ZTa2FtZHFCakxFTThNWHZXQzRUY1poSDUzZXlmblJNUjIyb3hKVEVlQjZDYWJFZ3diNjNtQXlVb2JUSkdabFlvZ2NpbTZXZ3MwWnFDNllhaVR2dzNuLzEwWnhHWE5XRnNMRGhDa08vTGxqQWh2SXo0VElnN2F1UCsybXRNc2pram9IVDRDMG5QcXhGREZHanVRRHJpblRDZU1ZRGtnVTBhRTZtMzNnRGp2UEZDbGNqTEc4bTd4REtKbmwzTDNsVCs1eUNJSTNvY2NqaGxpTGVlN3JzSklkeFFaeEd3aDB0RUtmSThtdGYxbzlOSnllMEc1UnpXOTdiOXk5T0hEaVloTWNtalFHVHA5ZE54a0h2cU9qak9QbkdBL1FYZDcwYWVHVy9PT25MUjdBdkRzS1owbENrZDN6dFh6eVVLZ0VwQWRHK2FSbkNsT1JodG9xZXJwN1VxUHJvTmRGdHVNWStnOTlyWU9XS0RxSEo0ZFBBK3lRTkFRTHVBNTBLMU5RMHgzbEdlSlpaaTQraCthN1RRdDF4UVNqODBWVk4zR0VJc1I3WE02RXRNa0JLa2h0NjZoS1pQejJpT29mSVl1YUl0QkJiUWRZN3RXTW9LMElUL2ttbVMrK25MSmJiOUh2WDdqMGxvVWhqVFdocHF1MDQzcHRVeVBvWlVEaEVicmVsVzJldW9kc2ZuNHhoN1A1VUlaR2FNVU5HZ2k1bnF6a2p6MXVzaDEzU3huN0g1NTdZeGlZV2p2TmVJWmd6ZGJWK0dKdERDczBoVm0xZzhpbDh2MnEyazViLzlRZWh1NVVpTFNVZ3AvYVp6d1hOL0xkajQyVWxpWHM4TWRPOHVRVFRnZzZDb0dEbVcvaGJZZU1BV3NFelBlUGliRENmU0t0c0gzTlNGWWRUU0hFdjJYUU0zOEkvL2JpTlR1VWhSNzYxT0U5Qy9ndVFmd1lnbkRJZ05uV0NPUTdYRXRqSHZ2SDM2OUZiSEtnNlpwVmlzRWlEMk1qYnpCbEJsTm5FTFFBU3dQOVVBME1iWVQ2L0xuS3hYTnJXTDRwYWs5WjA0R3FBTm0ydTVxcFp5WGZFZzVGWXdUODVHbUpmSW9JQ2lCSk1JeHE0bXlwdTZ4dWRPdnhPeVVCZFE2enQ0dDR4MHp0TWQ3KzlNN3YzdjNjTVZOVFh0WG9NUEZLL1NKQWRaSGVxb2ZIS0FtcEJiaWV2ODhWL05XaVR5SVVUT1c3bkxGdWpSYUtPODZmWnB5c01kKyt5Q0crcEJDZyswZFY5d3RuYjhkdnl5d2hENkoxTExoelQydGZhUU5mWHZ3VUw1d255M3R3Zkd6M3NhV1A2YkYrSmpZd000SlltYjdEbUNySTZML3M5WlJ1TWlGclRFa3JqNUJ0T2oyckpObFlwZ1NWZ2Z2WWtLWDhmZFVhdWczRWRzVktheThkNzRwUE11S3gza0g3N0ZWbktUdWNiTEdSS1AyU1FuT1RvbE1ZTHNlQUhOK2phUkNpODJldTRFVzBxbWNmYjJNM2JjNVBzd0s3UUVQSWVnYW02Sm5jMFhOeUVPU2NWU1hmUUZEU3FGME1jSkVjeVUyQmIwaFgvTStNazd3SEFRUjBxa2tOQU5KYXkrbFAvQVliWVJ1dUtPWTdXRUxheHUzM0dhZ3pZeU5scWJFR1BQQnBTU2tTbCtiMXEyZHRXWGhmd3JXV052Z3lnMUQ4eVN5U2pJUXNaTEUyS1pab2RuZ2labUtqUERjd3pDMFBvcENSVXQ2ZFBZM3ExWTJjMk9Bd1BpY2NkN0YrYWlSSjdzNWpPei9BOHp5NlpLdll1ZW8xSDdoaVd2dFlJZ2YrQy9MaFFuQ0UxR21rODNzdURPQ3JQSUxPMDduOEcrMjZoenEvQ3lGKytGdHNyb29XUTErb29TanNmQWpXaDZ1QUR2N29DbmN3OFdmdjJXVk5pcGVHZU13UlJpcTFuVWFGN3BwK3dONGdsU3NVZzZ2V21GdHQ0QURFeXp3ODBMRExPNGszeXpsQURmc3pJeFc0KzNsT3FKN2loaklvSkMzRlB6djRWNXE5VWFlWjB2NWt2bk5YTmZUb3k0eG95dFROcUVTODFZYjZiK3R5R0pqZFRyai9WZ3l1dEU1b2oyN3R4YU9ObGloYzhObDlQbzZZb3ZrK3BFUU1vMEQ4SlVXNi9qL0FKUnVTT0I1MllMN1BJK3FFQXpIY0tYTXg4d3l3bEVHWEdrako5QXBoWTA4MUFyazJWclA3UEJEd2xwcENlQUtjZ1R3dTNtN0lRL1FibzFQMVhwMlB6U1hVbnI2N0xiRmFTT3ZjalNtNGlBQ3FjeXVPaDFVb0pIRGRRZWJ6UTdrWEdiQ1R6bEVPZ1NRazl5RzJMY25mOGVaVHBvRXZTbUpRNGcyTEovRkpjelBheGI5cUZXaTF0cGt2OVFrd04vTTVSVWd6QmNjNjV2ZUZQZE1ES09VRmU0UnNtV3htbFo2ZXBwQmJxVk5CbFhoQVBIWSs1aXRjWVR3eHVLUGJNRUNjcDYwc01xUEEyMDdoOWl1WVdvclRMMmNyMjQxSlBDQ3lvZVR5TDZ6MjhmbisyQXR5akxCVC8ydXpaUm9iejY4dzNDRUpLU1paQVlURG16ZWpaWXdVbmkxQ3BhM2JEcDNZcHd6ZkFIeEtSbmtwblJUS2gvUmFYVy95RElZb0U5eHQrcFBjb0kycXRLWGZpMjcxRXQ5eUMwTElvRllFQ2dQRE1GRGp2dGZlQTlnS2lpbWNiUThSSGdld3c2c1VLRS81L0VJcGlRS2t0UC9oSUtna2VHbmkxSXJHbnJYNU5aRmVlN1R0V3BlK3ozZUhCRFdJNlh4TGx6a3Y4ZzdQS1ltSkpxZzY2Unl5K1UzSlBkbk9pSkxoTWRzSmd2NDRlNm55am5VK1V5RWRpN3VGTUdoaFdOUlFSNWg0Y1JRMTB4MXMyNUdyUzhZWDlOdWVZNk5nMlAzYUJ4R2E0enZMa3YrSzA2czN3dUl2d2piSWxkdmpqdTM5di80eTlWMlo3VGdRWlFVUVMzQUd5NmFmQ296VXNnN3pFQitOZmx5U0ZwUDQ4eGY2U0NHWFcrbXZ6NVVabWlEMUErNkFlRlBmTktFd1lWZFB2OXN2aElaWlJ6cVQ4RTRNNCtaVUlxS202ZGplRHp1QmdGaEV4djNZNzZlNDd6OFhCa1p0SFV6aHptNlZPTW1rT2JualFlekdWTTBVdnlGbzVYWVZQbzhTQlo5TVBqd1NVbm9CUzB2T01Zb3BSdTBDM1BQR2NVSVFuZ1BncGF2WVRlTHpTWXZzU055WEwySnEvRUd4eWJUekYwN01Kek44VDN6SURUcE9FUjRUOGVGMEl6czVLcERSdFV6c1JLQjFwNm5RcnFmRFdTcE9VRDB1cXU1U3pPTE8vZkJrb1V5QWlWaldtMUFiNWxtSjZWMW4zRHJLazQzVVBMeTJ2MmFMWWZsMWR0QXFkSHBqY2dwaVdLQVptVCtBMU8zMFRLQlVQR3lnTlN5bW45ZGI2ZkJFQWphTG9USG9DS0QrR1RzNTgvTThpb3htM1NUd0F3K1FJUjAyV3RYTjJGM0JpQWV2Z1pGR0xRNEk3eVVvZ1RXdzh2VnFiY0pZWEZOclF2NDl0eVRBcjhRWnhpamIyM1p2Y01EM2ptcDBNbURoTGZza212T0d4WkdLeW9ERzk3b0k4cW1mbzFjQjVxMVUzSk1NSDFudEFiZTl6MWZFTVNOeVpCenVMV3QyQk9MTWU3akNQR0pYSThmKzUrcllmVGJEVlRxeldQK3lrN1pFSVF5TW9kcitoSlE2eEQ4Tm83Q255KzFpMlR0cU1wTGF5YlowUDVDRzlNQ0h6eHMwbHp6bjJiRVFyUmUxVlg5TUJ3NHVmNFFCeUZZZ1phUmN2NzdNdis1alV5QnQ0amhVd3dxdWp3eTRjL3VYdytQQU9iMHBsZ2s0SG8yUDcvUm10bmE0bnZBQWo2Rzl2cVBVS3pqTnh3RmRkRWxFb1ZERDUrK3Q3TnhhYVVXZzljRjhLRFJZU0M0enUxbXNXQXVYZFQ4aEd2Q1lmNjd4bTc1SVB1SnRtZ3FCWmpYUjg3b0NKb3h3aXZ5bzh0dHRxbUFaOFp4K0VCY1hqV2pLMzVKMzZvVFZ3U2JOcnFJYjZLbmpHbEZYSVN3clBORWkrUmtMb3RhU3lPU3ZuS251bERjM0doaEVYYXNCY3dEMElPNzNpZEk0YmlnR2F1bW9sSFF4QWVMRytVOUZycUY4dGdRT1dMenY0aHd3SlFHL2NpNE5GYmZISWpEVnM0bXM5WTdzQldUNkI1T1pNTzZyRE1wOUlsZG1Fcm1VUGE4ejU1ZVdqMDQ1YUxEQkt0Q1k5UHpXaHZXWHhqeTQ3SmxCU2ZETVBNVFhReHJ0T1B1SjRLSmo1V05xTlg3WXoxaTJMTm5weG5KbnltOWNsVTdGV1MrT2dUeTNBOWpYaTFCVXg0QjBHZzhXWUl4LzVBd0pzU0RPVC8yV0NpM09jRXhtUVRveVZrQ2p5UE55ZWNOck9GQmRQenowa1NaQjNJaFU4dW5OT1N0YytaNjdOZnF5K0kvRTlaVDczcUNCYVRJN1UxSFZxQzlsSnluUk1zbUZmMUdvbGNROG5DbXZvK0tPVTVtVkVzL2xvQThIZ3pWZWVNR043SkxaOFhJcUVkbnp5NHQyNlNRbTlobVY2ZDRiS2ZjQmk0MG9XNGZRUFdZRG1pWlorR1MrTDhuSnlYdzNBWkRIWkdKWEhFci85S096RFF0OVU0WVdpYS9NMTIrbFNyWmd5QmlrdWxnbnBBYmU0ZERpMUZMQTZMMUQzQjBIUlozRUdHamRRbng1R1hFZXhnNG9CVlQzS2dRbmpweXJrN0YzR0tQOUhGdnFLTUZ6VWJoL2RCV3k5bjRWc2JXUFlkSDdsSDFyVUg0YzdwN0lrWGc0VlREOE11MzV3b3ZORkErWkVBYmR3Z3o2dTR6NXZpZzhIcHNiUVpNVXZFVy91VE83cVU4UW56Z1o1NHRHcGl2YyszbnBhYnhSUTZSMDNpMHZYdDZCb0JJckFBMndxMmxzMTVSTXhleFZWczdYT25ORDRlcHFoMUJzR2pROC91ejZya1dRNVJFenNCeERxbXpZSTA1UXhYZlducUM2WVloWXpON1FQUzh0SGpYbGxsN0VzKzhVYzhzTytjRkE3REM3Y0hRbVZGaVpXN1NZYmFtTmFHc2FpY2VYTHE4Q3YveDJIZ21oUzYveU1qUFVFVkhoOTVZdHdhc25kT0p5NGdBbUlEWkh0d2RsOWxXY1ZDMDl4MUlBakt5UWlpQjRPLy9DcG9qZjFOUmNiUWF3VVBKMGI5ZXJyWDNFVWM3cU5Vc2NGMlpubXZVVThxM1g2UFVpb2p5TDVGMUFNdWJzcThuOTFmaG5FUmwrY2syQUJWYm9yeEhORlpSVXgvVlNYNHRMZzROUG1VcmhlalNoNXJZUkl6S3Q5OG9PNTBsTlEraS9RVkZUbmt6Ym9SUkkrS0NTM1o1bzJZZ0hlOGx2ZGhDeHYxZ3hjVGhRM21pd2dIeDdmR09LV1Myc2psSkxYanMxbm9raVowTEZ0NTIxaWYzKzFSYVZlRHpCU1hYRFFZVCtwbEI1S0M2L0ZOZEpDWW9mZGVTY0gwK0lHN2FyeWRyOUhUOU5SMXNHczZnc2JYQnNnWnViNXFKVmYzSisvQ3kra2FCYzByTEtyZ3UzZmlGUG1uMDdhWGdtK2xRVjBPVlVkaWVoNm5vQ0oxcHczT2VNdWJ0TU9rcmQyUWRFNEQ3T1ZoVithdUM5b1pIc09uQXhDYnZoYXovTTZYOEFaNXducHUvZVdwdDZ2WHBhWHpXVklJcVBET0NFMnRCSTcrNlNmTHdjVXFlYU5ZSVhtUlRwNnRUOGhhcDduZXpDZldqUGZxU2ZMVGljaFpEU1dlR2hYTXZWNTRCODJ2eWJoM1NBNXZCZDdwRnkzWTlxYnNCaHZDbHRKWmwzK044OXNnbTNJWElyeU5MT3JmL3VUMVJ0NDRrVDNleFM5N3FCWVpteGZXZW5PeUxqOHAxZGJlSjd6MlFxeE1xZXRia3FOUHBucnduMUFMV3VkSU5ZOGhLYnJYS0RDQmhWMmNQTkg3VWdTcnZYVFV2T1UxRnVyQ0FGRThSa09vcWxobUZ4SXRRUHUzNWd4MWFqaVFBTkMxQllTdlkvZzZyL2lLMHRlekFoRGNtaW4xVWF3Qk1qMkZHK2M4ZXdCYzVVbzN6ZUNIdERYVnlsSlY3UUdGVGZZR0JOWmlKUXJkYnFXRmEra01tdjRJUWYzSjY5bjBEeVNwRTJVY0h5dlFKQ3d0czlUN3NMU2h6WWFNVFVKUUFmOHhwcjBXKzVac3NHMjhJcXFsSTNkbUFpM0dQa2REblE3c0ZiNXBWSVVFVHRUQm9kMEp3K0U1UGgvY0Evbk9FbHpRYXRXUmUxWCs3NFl0bzdZSWJBRW56NW1YSGlva1hnTkVzbEdUWXhzWUo5QVBWOSt4WjVKTk1VWFl0OGhrVHBwaFBzN0FlazFpOXhsMW5sbm5FYnY0M3hnM2VMYTRySDBBcy8wTE9GK01yV2Z0aDBoWnQxanJCb05ycmNHOG1WWVJyd29YaXFIS3NSZTRVYTQ4a0YvRXVRWFZKeUZPV05KNUJjYW9xOSswa3lJdnVoeVhxNS9UL0tJTG12cFpTMzZINHJ1bFJhRm1Hb29sejBtaUl4V2FrdHFpUjF1VjhYaWtiekZFUzR2cGV5NHVKMWVBZjUyRCszL2NLY0V6V2E2KzU2VGRFQ0VKQWExWDl2Ni83UzFDZlBxaVkwN1lNMXZXdXNHcEhPQ0FSTFBDWGZ5V2ZXQytVSThPM1FkSEhRaC9XNXpzZ3RFWnVhYWhkWk9lY2VsQmtnS0NIZ1o4NTFpN2IvY25EN2VsRHlCVGJuNHFKRWhSWVRLWUNRZW82SEpFd1N5b3NhOVJrU0lpQklBaGVHaTlSRWJYY2xMY1JnR3FoMXp5Qi9JUHFmMUtXOXFMbzhzaU9wRUlUU3BOeks3NSttMlc0L2c4TjJLTGgvb1MyeGEyTXZGU0pTemdZZmpwYjlOK3pVeE5XR0xjZDVQR2J6STdkYW4yY2tKSmE2UkhLRG1WTWtqYW1ZTHh6M0ZKK29SdUFhTzFpcjMzWGViSGV6ZHErQjRKT2FweVhleGs4M1hIbG1kS211UTg1aWdqRmZPVElHMmFJc2FXcTdDL0ppZmdyK0pqdVRoSm55TVdyYkNSRTV2VkZ0MEdJYWlvR1NsYktIM1RYUnhaK0tXdXozZ3ErWXIzSWNrT1RIRUgwR0FERy9pc2lQSWV4bHJHNmRZaW43V20vUGVkRGVzd0t5TFlwVFMxejNzVGVTSXRFbXpZSERNRURzS0FsNVh5anZOalJvNzg5OHVhRW5pMWIraWpCc2p5b01EY0RFaHcxZzhseWpIZldrSjRwRitIWGpuMzJBak9qb0ZuNVIrcWM1ZWpsTVVxV0N1OUU0UWJTZWtWbmcwSW02OG9naWF5WVVDQTlZQklSd0Y5b3l2REZ5WGRJblhFOFFsZDRkYks2dUpwM2xzbERkclNWczBZQTdxRnBQY0MrWWdFZnBEa2NraXVjR2RINTFWaHYrMmJNWEpabmdNMTU0Sm0rcUJ4MGhOd1R0K1AyMGZ6ZlpueDh2TEM5c3RxZUxPVm9lNFhlZzhQS01TdFQ1ei9yRGQrZk1nTVB2MHd5bWVybEM5ajJ4L0tMYnRTQmtNa0hkTXZjWVY0cjhJNkFCV0tvNE50QmhTYk8wdUcreDUwbjdkOTFhb1R1ZmhrM3plajV1dEM0ZElGRmdFMkZXMmdvcldzSTBBT0huVXJadlgrYmJxYmFZUFMyT05XSW9wcW1hVVUrVXZPUzcwM2Q4WWtjSGFyaTdFREE1dVFKVG5xT1I1YkpieFk3U0hjWEVmMFZFeldpcGgrL0FKMmYvSzJUVUhoNjZZMnpqdnM4cHdKZURKRUQ0U080OEZHMEtOTjk3UzN5NEJMdz09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWREYXRhPjwvc2FtbDI6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should be valid signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should return a valid user', function(){ + var user = JSON.parse(bod); + expect(user['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']) + .to.equal('_89841b346092548fd44097a1e7c426a4'); + expect(user['urn:oid:2.5.4.4']) + .to.equal('Müller'); + }); + }); + + describe('invalid SAMLResponse in POST', function () { var user, r, bod, $; From 3a8407989813d5c68917465e08e000ea9c421e4f Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Wed, 16 Apr 2014 02:46:34 -0300 Subject: [PATCH 068/203] 0.11.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index bd50a58..3ea5ede 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.10.1", + "version": "0.11.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From fadefc31da2b59ef44c0514ba16b545543c8b29e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Jun 2014 13:48:03 -0300 Subject: [PATCH 069/203] add support for custom assertion request --- lib/passport-wsfed-saml2/samlp.js | 55 ++++++--- .../templates/assert_and_destination.ejs | 4 + .../templates/samlrequest.ejs | 13 +-- test/fixture/samlp-server.js | 40 ++++--- test/samlp.tests.js | 104 +++++++++++++++--- 5 files changed, 160 insertions(+), 56 deletions(-) create mode 100644 lib/passport-wsfed-saml2/templates/assert_and_destination.ejs diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index fa700a5..40c247b 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -15,32 +15,51 @@ var Samlp = module.exports = function Samlp (options, saml) { this._saml = saml; }; +var supplant = function (tmpl, o) { + return tmpl.replace(/\@\@([^\@]*)\@\@/g, + function (a, b) { + var r = o[b]; + return typeof r === 'string' || typeof r === 'number' ? r : a; + } + ); +}; + +var trimXml = function (xml) { + return xml.replace(/\r\n/g, '') + .replace(/\n/g,'') + .replace(/>(\s*)<') //unindent + .trim(); +}; + Samlp.prototype = { getSamlRequestUrl: function (opts, callback) { var options = xtend(opts || {}, this.options); - var SAMLRequest = templates.samlrequest({ + var assert_and_destination = templates.assert_and_destination({ + Destination: options.identityProviderUrl, + AssertionConsumerServiceURL: options.callback + }); + + var model = { ID: '_' + generateUniqueID(), IssueInstant: generateInstant(), - Destination: options.identityProviderUrl, Issuer: options.realm, ProtocolBinding: options.protocolBinding, - AssertionConsumerServiceURL: options.callback - }).replace(/\r\n/g, '') - .replace(/\n/g,'') - .replace(/>(\s*)<') //unindent - .trim(); + AssertServiceURLAndDestination: assert_and_destination + }; + + var SAMLRequest = trimXml(!options.requestTemplate ? templates.samlrequest(model) : supplant(options.requestTemplate, model)); if (options.deflate) { zlib.deflateRaw(new Buffer(SAMLRequest), function(err, buffer) { if (err) return callback(err); - callback(null, buildUrl(buffer)); + callback(null, buildUrl(buffer)); }); } else { - callback(null, buildUrl(new Buffer(SAMLRequest))); + callback(null, buildUrl(new Buffer(SAMLRequest))); } - + function buildUrl(buffer) { var parsed = url.parse(options.identityProviderUrl, true); var samlRequest = options.identityProviderUrl.split('?')[0] + '?' + qs.encode( xtend(parsed.query, { SAMLRequest: buffer.toString('base64'), RelayState: options.RelayState || '' })); @@ -98,7 +117,7 @@ Samlp.prototype = { validateSamlResponse: function (samlResponse, callback) { var self = this; - + if (typeof samlResponse === 'string') { samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); } @@ -116,24 +135,24 @@ Samlp.prototype = { if (!isResponseSigned && !isAssertionSigned) { return callback(new Error('neither the response nor the assertion are signed')); - } + } if (isResponseSigned) { - self._saml.validateSignature(samlResponse, { - cert: self.options.cert, - thumbprint: self.options.thumbprint, + self._saml.validateSignature(samlResponse, { + cert: self.options.cert, + thumbprint: self.options.thumbprint, signaturePath: samlResponseSignaturePath - }, + }, function (err) { if (err) { return callback(err); } - + if (!isAssertionSigned) { return self._saml.parseAssertion(assertion, callback); } return self._saml.validateSamlAssertion(assertion, callback); }); - } + } else if (isAssertionSigned) { return self._saml.validateSamlAssertion(assertion, callback); } diff --git a/lib/passport-wsfed-saml2/templates/assert_and_destination.ejs b/lib/passport-wsfed-saml2/templates/assert_and_destination.ejs new file mode 100644 index 0000000..6e3b714 --- /dev/null +++ b/lib/passport-wsfed-saml2/templates/assert_and_destination.ejs @@ -0,0 +1,4 @@ +<% if (AssertionConsumerServiceURL) { -%> + AssertionConsumerServiceURL="<%= AssertionConsumerServiceURL %>" + Destination="<%= Destination %>" +<% } -%> \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/templates/samlrequest.ejs b/lib/passport-wsfed-saml2/templates/samlrequest.ejs index 7a88cae..00e6c86 100644 --- a/lib/passport-wsfed-saml2/templates/samlrequest.ejs +++ b/lib/passport-wsfed-saml2/templates/samlrequest.ejs @@ -1,8 +1,7 @@ - AssertionConsumerServiceURL="<%= AssertionConsumerServiceURL %>" <% } %> - <% if (AssertionConsumerServiceURL) { %> Destination="<%= Destination %>" <% } %> - ID="<%= ID %>" - IssueInstant="<%= IssueInstant %>" - ProtocolBinding="<%= ProtocolBinding %>" Version="2.0"> - <%= Issuer %> + + ID="<%= ID %>" + IssueInstant="<%= IssueInstant %>" + ProtocolBinding="<%= ProtocolBinding %>" Version="2.0"> + <%= Issuer %> \ No newline at end of file diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index bf86680..3c22f85 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -11,14 +11,23 @@ var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; var identityProviderUrl = 'http://localhost:5051/samlp'; var relayState = 'somestate'; -passport.use('samlp', new Strategy( - { +passport.use('samlp', new Strategy({ path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' - }, - function(profile, done) { + }, function(profile, done) { + return done(null, profile); + }) +); + +passport.use('samlp-custom-request-template', new Strategy({ + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: identityProviderUrl, + thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309', + requestTemplate: '' + }, function(profile, done) { return done(null, profile); }) ); @@ -113,7 +122,7 @@ passport.use('samlp-with-utf8', new Strategy( thumbprint: '42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031', decryptionKey: fs.readFileSync(path.join(__dirname, '../test-decryption.key')), checkExpiration: false, // we are using a precomputed assertion generated from a sample idp feide - checkAudience: false + checkAudience: false }, function(profile, done) { return done(null, profile); @@ -167,7 +176,7 @@ module.exports.start = function(options, callback){ } //configure samlp middleware - app.get('/samlp', function(req, res, next) { + app.get('/samlp', function(req, res, next) { samlp.auth(xtend({}, { issuer: 'urn:fixture-test', getPostURL: getPostURL, @@ -179,7 +188,10 @@ module.exports.start = function(options, callback){ app.get('/login', passport.authenticate('samlp', { protocol: 'samlp', RelayState: relayState })); app.get('/login-idp-with-querystring', passport.authenticate('samlp-idpurl-with-querystring', { protocol: 'samlp', RelayState: relayState })); - app.post('/callback', + app.get('/login-custom-request-template', + passport.authenticate('samlp-custom-request-template', { protocol: 'samlp', RelayState: relayState })); + + app.post('/callback', function(req, res, next) { //console.log('req.body'); next(); @@ -190,49 +202,49 @@ module.exports.start = function(options, callback){ } ); - app.post('/callback/samlp-signedresponse', + app.post('/callback/samlp-signedresponse', passport.authenticate('samlp-signedresponse', { protocol: 'samlp' }), function(req, res) { res.json(req.user); } ); - app.post('/callback/samlp-signedresponse-invalidcert', + app.post('/callback/samlp-signedresponse-invalidcert', passport.authenticate('samlp-signedresponse-invalidcert', { protocol: 'samlp' }), function(req, res) { res.json(req.user); } ); - app.post('/callback/samlp-invalidcert', + app.post('/callback/samlp-invalidcert', passport.authenticate('samlp-invalidcert', { protocol: 'samlp' }), function(req, res) { res.json(req.user); } ); - app.post('/callback/samlp-signedresponse-signedassertion', + app.post('/callback/samlp-signedresponse-signedassertion', passport.authenticate('samlp-signedresponse-signedassertion', { protocol: 'samlp' }), function(req, res) { res.json(req.user); } ); - app.post('/callback/samlp-ping', + app.post('/callback/samlp-ping', passport.authenticate('samlp-ping', { protocol: 'samlp' }), function(req, res) { res.json(req.user); } ); - app.post('/callback/samlp-okta', + app.post('/callback/samlp-okta', passport.authenticate('samlp-okta', { protocol: 'samlp' }), function(req, res) { res.json(req.user); } ); - app.post('/callback/samlp-with-utf8', + app.post('/callback/samlp-with-utf8', passport.authenticate('samlp-with-utf8', { protocol: 'samlp' }), function(req, res) { res.json(req.user); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 0bc1ade..849f766 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -6,19 +6,20 @@ var cheerio = require('cheerio'); var xmldom = require('xmldom'); var Samlp = require('../lib/passport-wsfed-saml2/samlp'); var fs = require('fs'); +var zlib = require('zlib'); describe('samlp (functional tests)', function () { before(function (done) { server.start(done); }); - + after(function (done) { server.close(done); }); describe('samlp flow with assertion signed', function () { var r, bod; - + before(function (done) { // this samlp request comes from Salesforce doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', @@ -47,7 +48,7 @@ describe('samlp (functional tests)', function () { describe('samlp flow with assertion signed with different cert', function () { var r, bod; - + before(function (done) { server.options = { signResponse: true }; doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', @@ -67,7 +68,7 @@ describe('samlp (functional tests)', function () { describe('samlp flow with response signed', function () { var r, bod; - + before(function (done) { server.options = { signResponse: true }; doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', @@ -97,7 +98,7 @@ describe('samlp (functional tests)', function () { describe('samlp flow with response signed with different cert', function () { var r, bod; - + before(function (done) { server.options = { signResponse: true }; doSamlpFlow('http://localhost:5051/samlp?SAMLRequest=fZJbc6owFIX%2FCpN3EAEVMmIHEfDaqlCP%2BtKJELkUEkqCl%2F76Uj3O9JyHPmay9l4r%2BVb%2F6VLkwglXLKXEBG1JBgImIY1SEpvgNXBFHTwN%2BgwVeQmtmidkjT9qzLjQzBEGbxcmqCsCKWIpgwQVmEEeQt9azKEiybCsKKchzYFgMYYr3hjZlLC6wJWPq1Ma4tf13AQJ5yWDrVZO45RIDOWYHWkVYimkBRBGjWVKEL%2BlfEhDSjhlVEJNLvlb1%2FqOA4TJyARvynPH80qFFJPAdg%2Fh1fNnGVqpKO3OLkZonUfJ0Nu2Y2t6PdlVPj1RZxVlThywI8rihVH0MuksTQz3sx1Fm2xv5LO9nYSs5KXxfnm364%2FwfMDPWMqn182qHOqpjzR0dncsM6xO1Vs7h860HI97yrB7xHE9dt2loy%2FQu1prie%2FMcuNNL2i6nUdWp%2Fdnk3yekb7dXYhWjFjil%2Br2IC%2Bd%2FexlNF7wS77Zomvo7epFbCuyVx5tq3klYzWeEMYR4SZQ5LYqypqo6IGiQE2FmiKpencPhOXf%2Fx%2Bm5E71N1iHu4jBcRAsxeWLHwBh82hHIwD3LsCbefWjBL%2BvRQ%2FyYPCAd4MmRvgk4kgqrv8R77d%2B2Azup38LOPgC&RelayState=123', @@ -120,7 +121,7 @@ describe('samlp (functional tests)', function () { before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5051/callback' }, function(err, response, body) { if(err) return done(err); @@ -146,7 +147,7 @@ describe('samlp (functional tests)', function () { before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5051/callback/samlp-with-utf8', form: { SAMLResponse: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9mbWktdGVzdC5hdXRoMC5jb20vbG9naW4vY2FsbGJhY2siIElEPSJfNzY4NjU5OGUzNDk4YjcxOGM3MjcyNmZlMjVhZDU3Y2MiIEluUmVzcG9uc2VUbz0iXzM3ZjAyNjJkYWZlNmJhZWFmYThiIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDQtMTFUMTE6MzU6MjQuMDYwWiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9hYWktbG9nb24uZXRoei5jaC9pZHAvc2hpYmJvbGV0aDwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpFbmNyeXB0ZWRBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjx4ZW5jOkVuY3J5cHRlZERhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiBJZD0iX2M4ZjVjZDJlMDBjZTIzOTBhMmQyN2UzNGNmNDBlYjZhIiBUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNFbGVtZW50Ij48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIi8+PGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjx4ZW5jOkVuY3J5cHRlZEtleSBJZD0iXzBmNzM0OTg1MWQyNjQ0OTY1YTQ3YzZmNTY5NzUwOTUxIiB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNyc2Etb2FlcC1tZ2YxcCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIi8+PC94ZW5jOkVuY3J5cHRpb25NZXRob2Q+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRE96Q0NBaU9nQXdJQkFnSUpBUFBvSHJFcGI3b3VNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CMHhHekFaQmdOVkJBTVRFbVp0YVMxMApaWE4wTG1GMWRHZ3dMbU52YlRBZUZ3MHhNekExTURZeU16QXpNVGRhRncweU56QXhNVE15TXpBek1UZGFNQjB4R3pBWkJnTlZCQU1UCkVtWnRhUzEwWlhOMExtRjFkR2d3TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtiOUdpZmYKK0t2UVB3bzllb09iU1c3Tk5ZWkZyVW94Um43NHFNY2RmWndrdXdHM084RUdpOFgrVXNOdE5nd1FsTVZmWXQ5bEtCNzFpSlNsS09CaQpCUFNGUDd6UDlqRnRUbmZKY2FSdmR2WVBvSUM0WTgxdHU2TGtOTjNlMS8zMU5wK1I2cGQ3RjZMZkhXcXVmK0IraHlISkNYYXNkZDZKCmxHb2ViOTQrZW1wajlsbTh3SE5iM3NyLzg4Mzk0S0ozRlVCZXhQelE1cnBLTGU3ZDVmbTRFS08vaXlFcFdIVWxmN2RmOXlHRDZtNzEKUHhvKzhyOERxcTdBNUVoR1gvems2U3V3WjRqL3N6aXp5bi9jWHVsbEdnM1BBc2M5WFhMVDQ1NUExS0VCeDVlVEdyTWM3SlEzdURVcQpxZkRmNHZqd2xOQmNJanhnMlgzZE0wc0pWay81cjAwQ0F3RUFBYU4rTUh3d0hRWURWUjBPQkJZRUZCczVscGZ2ZXlPU29wbU5WZWVoClhQK1BHdGszTUUwR0ExVWRJd1JHTUVTQUZCczVscGZ2ZXlPU29wbU5WZWVoWFArUEd0azNvU0drSHpBZE1Sc3dHUVlEVlFRREV4Sm0KYldrdGRHVnpkQzVoZFhSb01DNWpiMjJDQ1FEejZCNnhLVys2TGpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQlFVQQpBNElCQVFBMlprM1NtU0dUT2gvNnJhemVtL0ZpOEd6RW9wY0tkSUUxdWVDaFRzQXpoNi9taW01cTVsSDBQVzFiODVzUTMvYzMxU1lVClN4VlpCODRLMk1QNitod0MwV1p4a3E4eTBpTUVFQXhXeUMzWjNpOXBTbEdkdzdzdi9OV0p2NFlQam8yc1NOSHVaODBPMTFhM2NYb3UKWXhMTzhEQlJNcTlWVHM3UmI3cUtGQldsNUl4K2NaeFZnbHJ4SXY2VzA4T3JybXFQZW9EanVpSmlCajI4Y3NqaGVoWUVsS1ljblU0TApSZElqQmxaRm4xQW9USlJCRkF5akw4QnZTTUlNUmt6RXJvL0dwM0l6ajYwM1JCVEdPa3ZuaWFsS0hjd0xuVkZGRTB4ZVpaVXE3S3cwCkx2TzBYOHVTM0RYN2RUYzJvcXpYT1R4NDIvT2o1cTl4VXVhaXVYME1SWlQwPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkNpcGhlclZhbHVlPlBtN2dVRDI5d1AwMTdLUnZKTmdmVzUxRkQ0eHlUTGJ5RDdXbElNRVZUR2xzWnc5K3ZNbUdzL2VkdXJoT2ZVZEV2SGZBV04vdUYzYkxCOTl1Q1pFN0dHLzJ0aDVBS2pLejFaN1NvZWZuUU54dnFvbXUyNUNmWTEwUzFpbitNMU13N3ZrcTZlS0c4bndEQjBDc3JsOXJ6ZUMyekNQRFc1TG81N0x2NDNNbUVpM1dYZkVhbkQwZDJZT2NRVFppaHIzUlpnajl0SDJUQmVKZjhNN28yY1BrOXFBWk40aU56dk1oWE5OV0RDR256SGxIdXNxVk9RNWM4d2l5MmwzdWlUZlk3aEIvTVhpUDVmemRPYitEbWw4NlJrT2MyUVd3RHUwQ0t1ZHBveVRxQW90OUhFZ1JoL25tVXVSQkVKQ3NtWEdyN3FOM3ZSWW5HTXRmdEswZG9VYzN6QT09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT4xY1JHdFhpWFZMYXRhSHFTMWVLM3JtTjlQcnJyZ0laR25XM0xPT25aektuU2w2dWFKWnRENXFyQkRURE5zaXg2ek15cHJPOU5KQVlQYlJEQ21CbWNaVStMSm5aSVdtT3IrQ29SdWJBUGdIT2Q3Q0VoQVB6RGVJZFh0S0V3R29hNHNKbXJRMjlCR3VSejBYS3ljTlJhU2lJa0toRm40dTZCRzV0a2dzS0RRT3Q3dmd0RzhuV21pczZqM0lYSVdrWGpXT2tKWjBHbktXajJqd3EwL3ArdEo1OXM1R3lTQi9uVy9nQW1PcjlLelhJMllQWm5CTk1xSUl6ZTZPNDBaaDRtaXpmUmdTSzM4dE5XQ3NCRlB6Q1krZjJWZVlsMzVORythdUhEZU9BRGtkQkR4d2xqRTJCV0Q2MXBKaFhuRzBTRVBIcnV1b1k3YldjWGpoNDVYLzhiM1hNcHF4ZDFjRFJPZkZMdFRMb0syVjVqcnhiRGRvcVh2TFR2NnZ5NDZGVkZYRVNEV0xmSGFxTjBOTlNsY2hORXJmcFV3SDRNUXNVOGU1UW1yeEw1QUVDVldmQytEYnNOZTVjZFhZcS8wVTBkcWJPV1ZlQkdVL3h0KzJEWmVhSFBTZVpweGhCb3diZ0FKejRlTlpQdnhIWVRGZHducXZhemRneWo4VUdHbEQvZjFoSXFHWHFja3BNbTJ2OEplZUd1akV6SDNnMXNOcEluWG40eVBaTUFLSEtOaVhIZTF3aWk1V2V5Ty9tMHlCUGZreGRrMll1S3NPMy9KWDlOcXltNXV6WUIzbmZZN1JkR21pdXBDV2tpb05aL1hidG5Bb1dDSENyc210am1kdm5rM2NBTVAvdmNSWmluQm9pSjgxdnBLdTNtSm5FdGV6cEVqaUMxY1dnTUxoLzZRK29MbXZOL1dyNVZWZmxjSFJYMWNhTEQrWURncnkybTVCbHBTRjhVKy9KYXR6NjR3Y0V2aXlqVFgwelN6VlRtakptZG44a3FvSEN0V3RvVCtWQUt0MG9CcGRMdHg5eDUzUTVTVG1rUG5xOXdnc3FWRXBGZGFHK25qM1RiZkY5K1FBMHFCVk1BVmxpZmNyb01YTzZRZlpFZUwwNWpFZWFSUGZpK0t5K2tVNUUvMFduTWFVUU1ZZE1kUFh5NW1XenZuZHMzVE5DczRjMWhYc1c2SXFoeTRnQjFPdEFVdjhIeEtPWVhrT0ZMMVN4TEs4Ty80UUUwVEFGd0hvZ0hEY3NVTEIvNDJHZ3IxZjZJVWcyTGNjOTMvN3JOUkhOV21OK21ienBJdUUvT0lRTEM5RW5yM1ErSkdURFJKajJsR0Fidzk4MnlsUzYyS2ZETDlKMWEzdzdtb0ZKM3ZubTdTUmZ4K25CREw2YzFBSDJTS0s1SmsrT3VDOWVSWllwMDdXMy9TQnJOWFVUUzhpbnpRaERLSWwvOVJ0b1Bzbyt3K3RnaCtIY2svNERaQnV0cmtpY3BGejBWZm5pK0VGZXBEZVJLT1ZwY1JNclVFeHdvWFZ3SitBUldMRnBIdDFJQjh4TmJTeFU4WUpzeDlMdWxGeXhUQzVOYWFqU0N4WFhkRENFajE5U2o2MFRYZGcwOHNRY0NYdGxUS1dLVDdQQXl1cGo5dFZtdVg2NkEweGQwdWt3MmhjbSs1bnB4REtEbUhKdWFMSUlzSDB4WDFyQVE0a3VqVHg1aGNGZnEyMDZIK2JBUE1xTEYyTjFDSnlkYUJMd2xoejRwa0tPczhMRXVzTGtySGVUK3hFeHBETnk4MzBZQ3M1SUpnTkY2R3dFcFdiaklGbVNIMlpzSnBycnB4b3h6eGtuZ29DSzYvSlRkYUVoM0diWkVmaFNlSW5kTGFnUktFcjZ5azNFMS9sNzlxTmxCbzlpUndTRE5UVXdkMmVHOENhZVpyYjJQZEIweDk2L3Z4L2lkUXNwQjNCQjkrbzBRaFhndVp5c0pDMmtIdmZUSndZZjRWVDBoL01TQnk1dGVWYU1kUWZxUmpCVm9pbGZncnFaVjlPTHZOOUw3TzUxVGFqVE1EcmdleGxIV3VNNVhMczZUK3pNdXM3WisrNys2aGNEUGg4UXpxY2ljVyt6TGpOTHN3OXhZS09CNlJ4T1NHTy9CekkxcExhbmRHSnJ5bXVsWlBicUJyZEQ1MXFWNUxwWjVBcUU2MHg5RGc0NDNJRkpPeWIxUzN3VCsyb3BBVEFDVDZQV3o0blJsNHZJc2J1M1RlVGdGTXZiUHdKdmV0U1d2ZjNwckdRNDlqVHpMaXhlSUlRTmUyOXdYamZROE1TKzJSUGppMnlpQVFCcllITWo2UzBiWFloYUVCRmFGN1kxNTRxMVJORk5rTmpmN2tVQjBTbVlnaVU4em83QjdLNzRwTm1SbWxIcitMcGtFcHVyVEU5Lzgvd1hhRWFzSitIb0UyNVlTYnFZRitxKzQ1L1NFcEJQdWpCa2ZQdkQwR0pqVCtnbGxiNzFWQU9nMTk2dGN2RFU4TUduSUN6SGM0ajJRaWVhZkF2YzZMNElvMEJRQXhnNDZXTTlIWVJyOGhZeURQNzFCMC95Sm5CV1R5QzUvWFNsRmsrQWFQeXpxdFZpMk5GeFh3bnRldzA1R1NjU2F2NDdKSEFRVFZaRlJsd2k4RkNtaUpKZWVQVWRrb2FlZExOT21oUXFMN0hmZ000RDRmOE9MaHhxdng3Ym5QQkRPMmlBcndYbHFrdy9Lc3l4dlQvZVd3NUZMOW41KzVDTWxiYnJCTEpNM2o2WkVxM3RJOWZuYk1vNmFHUERRb2RURUMwaEY2ZHdJYm02VG5tdFlLcDFZSTR5UWlzMUFURmIxbTY4R0htS0tidXNiMGE4N3BKbzRYbDlQdVdLSFRhMXBWdDBVTWw0RWJjNm14aXdyRytIZzNFdDRXUk5qaTJHQXhWMmYyekFaN1ZsNXpGRk02dmdxbFlqQ3NWZWNLekM1emp6T2Y4aDd0UThKdTUxMWJpRjlhN090cFhCWHZqVWdvcVRFV25SM1pyRjI4MkNNV3VvUXJHbjlwNFR2eldORU1iWjd2cGJiQ2tYS0t3cFhhWXNzL3pwcHg2d3JXWTRNOUdoVE45RVhXTTRXUGVpbmZ1MStUQUdDK3dISFVTd2h2TE9Ob0RsaHhqcU94MVVweVZubmxTeTV2QlBIbWRrYXgzT3o4MWhIY3hHVEtvb3N1U0hRYU9hL2xRelY4Sm9sM2RyZURobjlBWkM1bjRsa3hYV0tUOEhuQUNMS3VUTE4rMXpQUVY0UWorSDcxNUloNkZzNkE3bGY0dVloY2pWcWNVdWZrTHFvcjd0NjdOck5FekIyNSs2UVNRSlhMbTNUU2M2UTlCUDNjNUhWOGZzVHJEL043RUdJUkJGL3BTNldSMzY2UjV6WkJiWjZXbFNOek1TcnlwZnlQVDk5ODhJeGtLRFZqYjE1MkZ3Njg4OTZvUS8rckdxY3BxYlB5bmsvYkpVbThWWU1vbzA3U0J4Y2hURncybmtRc1VLT0J2MkdJT01WQ0d0YUVmWDh5YVBlcGZ4UGFxSm5tVjJTQ2U3Q09vVWQ1b3g2SzgrL21uWUZaTXJ6N3RYQ1VIU1MybDdyU3BYTStXZ013VnIwalh5OXdYSkxKK3NLM0dXSDZYVDAzNHZrMk1KZHdmcU9zQnBwTkFjeStNekd5NDlFVlFULytQb2FlT245MzM3aHBibjFnVmNMd2ovWGMzRll4REtkakY1OGNUL2d0dG52aWRhaktUcGNnQ1l4R1F2KzNRUkhidWFEWnRyRXY0L3phNnpiRGZHcEtzbklqeVVhc21HeHpiQ1Q3ZjFMQU1aYlJwaklnYi9ScVRnVnhEQXRhUGNSVU9YTEE3N29ZZm83Y2h2STd5RlJGbk9lMDNURDhHRFFLaGI5VUlzN1JmRXNYS0xVOVZwZVp3NnZ4Q1lNZDhScTlDbG5kOG1jR0FsNDgrOTRVeUFWZUdUelYzMWVCam44QjQ1R0wzWDkxL2JULzExaHZNS05YMjFQbUZ5eVR5YzZNMXhVY3IzN282YWY0SEFzVW5YZ1o4U1VLUXdKUE1WQzkrRW52RHByUjYvWS81S1l5MFVnb1IrR01IRTNaMXl0UUdZWEZZRlVaVW1NVjJVZ3oySW5pVTRhWExYNFlxQjhMRVgvRjVENnUzcVFCekhkSXhPelNTdlRiRXN6dVhuOFd4NStMNW1MVGM1U1JuNmxQZTRIUVZ1U0lLYzg3Ym5UTDFzNHFadjF0KzlaTUxLSVRHc1J4bjM1YXFZdVBMdDVOM053MlBZUkg4ZHFyZkwvWlA5WW5CWXo2aEFlWXZQVG5pYWF2ZVYzU0dNeW1VRVM5YlVtbHRjOUo0NnR3MkNwYkkxT0NDRDJ3dW1ucTlvbkZEam1oQUticENkaVNlSXFyNll4Y09QbzFXTnNVMmR1Z1Z3L1dYbTl5RUJ4S0o1UHJjNHJhdjhPT2Ezc0g0Z0cyYm9KeEMrMTluenZDbnVmTTRiRVQ3WVY5SVdmaDJLOGJacytRYTZPYjBTOXZnUWw1YWhGekpCUGhNUW91NjhKLzNkQm5ScUlPUENUMUhxcDN2aktlR3B4bGQxRDl3azZNYUREakl4aTJvWDQ3azZYREt6UkprUENabnJFTDZSblRodFJ0dzhiRUJCblZvdTdHWlZMZWtmRmw1MGlHTldBTmJpYTFGaDhad0c3SmxGbnhQZkhOdHYwM1QrT0dmOGhnMDV4YVlWQjRtZURKeC8rWmJBQzBKYUpYeUpNMnJmeTVuY3UxTk9BNWdEV1E3Vkp0MlFyQXh2cmQ5TVV4eHRnbHRtek1Nc1FZbDd3QVByMk5QRW1Nck1EeXJCcVRNY0JWbVg2N05sNGhBck44WUQySE9WZW5pZkkzcGFZSXMySTg3eWJ4SVNsMlEvbDFySXdScHFZSFVzRGNqVjBmUzd5c2VVZUdnK2hEMDdZR1RWaVkvT0JHeEswMzJneUtUcFdVMHFibW8rWTYvWkdVdnBqbldCRWJ5QkhkZ0xia0JUL29CNVE0azdLMi9TQXd6N29DZStJWG9OYkxYYkFNSGZIS296WFNxUysxQkN1TUUxSnNsWGpSWFk1WWJnRms2MU8zUndLRFVMaExUNUdmSlVFUVNoU2h2S05naHYzOUlBY1o2YWlFWlp3WVBUK1BudnNpc1hKanFiM2lhaU1yMCs5aEIvR3hrOHN5amRuVU1mL3FJOEpRU0k5UVhIZ0t6UU5pY0dSZFdjNUpXUkZreUIxMzh5dUF6NHQ4eHI1SzFhNStBUHJ6M1JJem1KWExpSlBySkhhcnlTL1ZNclBKaHR4WFpoYVlsYlJPRFptaUJjci9LVGlaVk02OWNlK3ZTa2FtZHFCakxFTThNWHZXQzRUY1poSDUzZXlmblJNUjIyb3hKVEVlQjZDYWJFZ3diNjNtQXlVb2JUSkdabFlvZ2NpbTZXZ3MwWnFDNllhaVR2dzNuLzEwWnhHWE5XRnNMRGhDa08vTGxqQWh2SXo0VElnN2F1UCsybXRNc2pram9IVDRDMG5QcXhGREZHanVRRHJpblRDZU1ZRGtnVTBhRTZtMzNnRGp2UEZDbGNqTEc4bTd4REtKbmwzTDNsVCs1eUNJSTNvY2NqaGxpTGVlN3JzSklkeFFaeEd3aDB0RUtmSThtdGYxbzlOSnllMEc1UnpXOTdiOXk5T0hEaVloTWNtalFHVHA5ZE54a0h2cU9qak9QbkdBL1FYZDcwYWVHVy9PT25MUjdBdkRzS1owbENrZDN6dFh6eVVLZ0VwQWRHK2FSbkNsT1JodG9xZXJwN1VxUHJvTmRGdHVNWStnOTlyWU9XS0RxSEo0ZFBBK3lRTkFRTHVBNTBLMU5RMHgzbEdlSlpaaTQraCthN1RRdDF4UVNqODBWVk4zR0VJc1I3WE02RXRNa0JLa2h0NjZoS1pQejJpT29mSVl1YUl0QkJiUWRZN3RXTW9LMElUL2ttbVMrK25MSmJiOUh2WDdqMGxvVWhqVFdocHF1MDQzcHRVeVBvWlVEaEVicmVsVzJldW9kc2ZuNHhoN1A1VUlaR2FNVU5HZ2k1bnF6a2p6MXVzaDEzU3huN0g1NTdZeGlZV2p2TmVJWmd6ZGJWK0dKdERDczBoVm0xZzhpbDh2MnEyazViLzlRZWh1NVVpTFNVZ3AvYVp6d1hOL0xkajQyVWxpWHM4TWRPOHVRVFRnZzZDb0dEbVcvaGJZZU1BV3NFelBlUGliRENmU0t0c0gzTlNGWWRUU0hFdjJYUU0zOEkvL2JpTlR1VWhSNzYxT0U5Qy9ndVFmd1lnbkRJZ05uV0NPUTdYRXRqSHZ2SDM2OUZiSEtnNlpwVmlzRWlEMk1qYnpCbEJsTm5FTFFBU3dQOVVBME1iWVQ2L0xuS3hYTnJXTDRwYWs5WjA0R3FBTm0ydTVxcFp5WGZFZzVGWXdUODVHbUpmSW9JQ2lCSk1JeHE0bXlwdTZ4dWRPdnhPeVVCZFE2enQ0dDR4MHp0TWQ3KzlNN3YzdjNjTVZOVFh0WG9NUEZLL1NKQWRaSGVxb2ZIS0FtcEJiaWV2ODhWL05XaVR5SVVUT1c3bkxGdWpSYUtPODZmWnB5c01kKyt5Q0crcEJDZyswZFY5d3RuYjhkdnl5d2hENkoxTExoelQydGZhUU5mWHZ3VUw1d255M3R3Zkd6M3NhV1A2YkYrSmpZd000SlltYjdEbUNySTZML3M5WlJ1TWlGclRFa3JqNUJ0T2oyckpObFlwZ1NWZ2Z2WWtLWDhmZFVhdWczRWRzVktheThkNzRwUE11S3gza0g3N0ZWbktUdWNiTEdSS1AyU1FuT1RvbE1ZTHNlQUhOK2phUkNpODJldTRFVzBxbWNmYjJNM2JjNVBzd0s3UUVQSWVnYW02Sm5jMFhOeUVPU2NWU1hmUUZEU3FGME1jSkVjeVUyQmIwaFgvTStNazd3SEFRUjBxa2tOQU5KYXkrbFAvQVliWVJ1dUtPWTdXRUxheHUzM0dhZ3pZeU5scWJFR1BQQnBTU2tTbCtiMXEyZHRXWGhmd3JXV052Z3lnMUQ4eVN5U2pJUXNaTEUyS1pab2RuZ2labUtqUERjd3pDMFBvcENSVXQ2ZFBZM3ExWTJjMk9Bd1BpY2NkN0YrYWlSSjdzNWpPei9BOHp5NlpLdll1ZW8xSDdoaVd2dFlJZ2YrQy9MaFFuQ0UxR21rODNzdURPQ3JQSUxPMDduOEcrMjZoenEvQ3lGKytGdHNyb29XUTErb29TanNmQWpXaDZ1QUR2N29DbmN3OFdmdjJXVk5pcGVHZU13UlJpcTFuVWFGN3BwK3dONGdsU3NVZzZ2V21GdHQ0QURFeXp3ODBMRExPNGszeXpsQURmc3pJeFc0KzNsT3FKN2loaklvSkMzRlB6djRWNXE5VWFlWjB2NWt2bk5YTmZUb3k0eG95dFROcUVTODFZYjZiK3R5R0pqZFRyai9WZ3l1dEU1b2oyN3R4YU9ObGloYzhObDlQbzZZb3ZrK3BFUU1vMEQ4SlVXNi9qL0FKUnVTT0I1MllMN1BJK3FFQXpIY0tYTXg4d3l3bEVHWEdrako5QXBoWTA4MUFyazJWclA3UEJEd2xwcENlQUtjZ1R3dTNtN0lRL1FibzFQMVhwMlB6U1hVbnI2N0xiRmFTT3ZjalNtNGlBQ3FjeXVPaDFVb0pIRGRRZWJ6UTdrWEdiQ1R6bEVPZ1NRazl5RzJMY25mOGVaVHBvRXZTbUpRNGcyTEovRkpjelBheGI5cUZXaTF0cGt2OVFrd04vTTVSVWd6QmNjNjV2ZUZQZE1ES09VRmU0UnNtV3htbFo2ZXBwQmJxVk5CbFhoQVBIWSs1aXRjWVR3eHVLUGJNRUNjcDYwc01xUEEyMDdoOWl1WVdvclRMMmNyMjQxSlBDQ3lvZVR5TDZ6MjhmbisyQXR5akxCVC8ydXpaUm9iejY4dzNDRUpLU1paQVlURG16ZWpaWXdVbmkxQ3BhM2JEcDNZcHd6ZkFIeEtSbmtwblJUS2gvUmFYVy95RElZb0U5eHQrcFBjb0kycXRLWGZpMjcxRXQ5eUMwTElvRllFQ2dQRE1GRGp2dGZlQTlnS2lpbWNiUThSSGdld3c2c1VLRS81L0VJcGlRS2t0UC9oSUtna2VHbmkxSXJHbnJYNU5aRmVlN1R0V3BlK3ozZUhCRFdJNlh4TGx6a3Y4ZzdQS1ltSkpxZzY2Unl5K1UzSlBkbk9pSkxoTWRzSmd2NDRlNm55am5VK1V5RWRpN3VGTUdoaFdOUlFSNWg0Y1JRMTB4MXMyNUdyUzhZWDlOdWVZNk5nMlAzYUJ4R2E0enZMa3YrSzA2czN3dUl2d2piSWxkdmpqdTM5di80eTlWMlo3VGdRWlFVUVMzQUd5NmFmQ296VXNnN3pFQitOZmx5U0ZwUDQ4eGY2U0NHWFcrbXZ6NVVabWlEMUErNkFlRlBmTktFd1lWZFB2OXN2aElaWlJ6cVQ4RTRNNCtaVUlxS202ZGplRHp1QmdGaEV4djNZNzZlNDd6OFhCa1p0SFV6aHptNlZPTW1rT2JualFlekdWTTBVdnlGbzVYWVZQbzhTQlo5TVBqd1NVbm9CUzB2T01Zb3BSdTBDM1BQR2NVSVFuZ1BncGF2WVRlTHpTWXZzU055WEwySnEvRUd4eWJUekYwN01Kek44VDN6SURUcE9FUjRUOGVGMEl6czVLcERSdFV6c1JLQjFwNm5RcnFmRFdTcE9VRDB1cXU1U3pPTE8vZkJrb1V5QWlWaldtMUFiNWxtSjZWMW4zRHJLazQzVVBMeTJ2MmFMWWZsMWR0QXFkSHBqY2dwaVdLQVptVCtBMU8zMFRLQlVQR3lnTlN5bW45ZGI2ZkJFQWphTG9USG9DS0QrR1RzNTgvTThpb3htM1NUd0F3K1FJUjAyV3RYTjJGM0JpQWV2Z1pGR0xRNEk3eVVvZ1RXdzh2VnFiY0pZWEZOclF2NDl0eVRBcjhRWnhpamIyM1p2Y01EM2ptcDBNbURoTGZza212T0d4WkdLeW9ERzk3b0k4cW1mbzFjQjVxMVUzSk1NSDFudEFiZTl6MWZFTVNOeVpCenVMV3QyQk9MTWU3akNQR0pYSThmKzUrcllmVGJEVlRxeldQK3lrN1pFSVF5TW9kcitoSlE2eEQ4Tm83Q255KzFpMlR0cU1wTGF5YlowUDVDRzlNQ0h6eHMwbHp6bjJiRVFyUmUxVlg5TUJ3NHVmNFFCeUZZZ1phUmN2NzdNdis1alV5QnQ0amhVd3dxdWp3eTRjL3VYdytQQU9iMHBsZ2s0SG8yUDcvUm10bmE0bnZBQWo2Rzl2cVBVS3pqTnh3RmRkRWxFb1ZERDUrK3Q3TnhhYVVXZzljRjhLRFJZU0M0enUxbXNXQXVYZFQ4aEd2Q1lmNjd4bTc1SVB1SnRtZ3FCWmpYUjg3b0NKb3h3aXZ5bzh0dHRxbUFaOFp4K0VCY1hqV2pLMzVKMzZvVFZ3U2JOcnFJYjZLbmpHbEZYSVN3clBORWkrUmtMb3RhU3lPU3ZuS251bERjM0doaEVYYXNCY3dEMElPNzNpZEk0YmlnR2F1bW9sSFF4QWVMRytVOUZycUY4dGdRT1dMenY0aHd3SlFHL2NpNE5GYmZISWpEVnM0bXM5WTdzQldUNkI1T1pNTzZyRE1wOUlsZG1Fcm1VUGE4ejU1ZVdqMDQ1YUxEQkt0Q1k5UHpXaHZXWHhqeTQ3SmxCU2ZETVBNVFhReHJ0T1B1SjRLSmo1V05xTlg3WXoxaTJMTm5weG5KbnltOWNsVTdGV1MrT2dUeTNBOWpYaTFCVXg0QjBHZzhXWUl4LzVBd0pzU0RPVC8yV0NpM09jRXhtUVRveVZrQ2p5UE55ZWNOck9GQmRQenowa1NaQjNJaFU4dW5OT1N0YytaNjdOZnF5K0kvRTlaVDczcUNCYVRJN1UxSFZxQzlsSnluUk1zbUZmMUdvbGNROG5DbXZvK0tPVTVtVkVzL2xvQThIZ3pWZWVNR043SkxaOFhJcUVkbnp5NHQyNlNRbTlobVY2ZDRiS2ZjQmk0MG9XNGZRUFdZRG1pWlorR1MrTDhuSnlYdzNBWkRIWkdKWEhFci85S096RFF0OVU0WVdpYS9NMTIrbFNyWmd5QmlrdWxnbnBBYmU0ZERpMUZMQTZMMUQzQjBIUlozRUdHamRRbng1R1hFZXhnNG9CVlQzS2dRbmpweXJrN0YzR0tQOUhGdnFLTUZ6VWJoL2RCV3k5bjRWc2JXUFlkSDdsSDFyVUg0YzdwN0lrWGc0VlREOE11MzV3b3ZORkErWkVBYmR3Z3o2dTR6NXZpZzhIcHNiUVpNVXZFVy91VE83cVU4UW56Z1o1NHRHcGl2YyszbnBhYnhSUTZSMDNpMHZYdDZCb0JJckFBMndxMmxzMTVSTXhleFZWczdYT25ORDRlcHFoMUJzR2pROC91ejZya1dRNVJFenNCeERxbXpZSTA1UXhYZlducUM2WVloWXpON1FQUzh0SGpYbGxsN0VzKzhVYzhzTytjRkE3REM3Y0hRbVZGaVpXN1NZYmFtTmFHc2FpY2VYTHE4Q3YveDJIZ21oUzYveU1qUFVFVkhoOTVZdHdhc25kT0p5NGdBbUlEWkh0d2RsOWxXY1ZDMDl4MUlBakt5UWlpQjRPLy9DcG9qZjFOUmNiUWF3VVBKMGI5ZXJyWDNFVWM3cU5Vc2NGMlpubXZVVThxM1g2UFVpb2p5TDVGMUFNdWJzcThuOTFmaG5FUmwrY2syQUJWYm9yeEhORlpSVXgvVlNYNHRMZzROUG1VcmhlalNoNXJZUkl6S3Q5OG9PNTBsTlEraS9RVkZUbmt6Ym9SUkkrS0NTM1o1bzJZZ0hlOGx2ZGhDeHYxZ3hjVGhRM21pd2dIeDdmR09LV1Myc2psSkxYanMxbm9raVowTEZ0NTIxaWYzKzFSYVZlRHpCU1hYRFFZVCtwbEI1S0M2L0ZOZEpDWW9mZGVTY0gwK0lHN2FyeWRyOUhUOU5SMXNHczZnc2JYQnNnWnViNXFKVmYzSisvQ3kra2FCYzByTEtyZ3UzZmlGUG1uMDdhWGdtK2xRVjBPVlVkaWVoNm5vQ0oxcHczT2VNdWJ0TU9rcmQyUWRFNEQ3T1ZoVithdUM5b1pIc09uQXhDYnZoYXovTTZYOEFaNXducHUvZVdwdDZ2WHBhWHpXVklJcVBET0NFMnRCSTcrNlNmTHdjVXFlYU5ZSVhtUlRwNnRUOGhhcDduZXpDZldqUGZxU2ZMVGljaFpEU1dlR2hYTXZWNTRCODJ2eWJoM1NBNXZCZDdwRnkzWTlxYnNCaHZDbHRKWmwzK044OXNnbTNJWElyeU5MT3JmL3VUMVJ0NDRrVDNleFM5N3FCWVpteGZXZW5PeUxqOHAxZGJlSjd6MlFxeE1xZXRia3FOUHBucnduMUFMV3VkSU5ZOGhLYnJYS0RDQmhWMmNQTkg3VWdTcnZYVFV2T1UxRnVyQ0FGRThSa09vcWxobUZ4SXRRUHUzNWd4MWFqaVFBTkMxQllTdlkvZzZyL2lLMHRlekFoRGNtaW4xVWF3Qk1qMkZHK2M4ZXdCYzVVbzN6ZUNIdERYVnlsSlY3UUdGVGZZR0JOWmlKUXJkYnFXRmEra01tdjRJUWYzSjY5bjBEeVNwRTJVY0h5dlFKQ3d0czlUN3NMU2h6WWFNVFVKUUFmOHhwcjBXKzVac3NHMjhJcXFsSTNkbUFpM0dQa2REblE3c0ZiNXBWSVVFVHRUQm9kMEp3K0U1UGgvY0Evbk9FbHpRYXRXUmUxWCs3NFl0bzdZSWJBRW56NW1YSGlva1hnTkVzbEdUWXhzWUo5QVBWOSt4WjVKTk1VWFl0OGhrVHBwaFBzN0FlazFpOXhsMW5sbm5FYnY0M3hnM2VMYTRySDBBcy8wTE9GK01yV2Z0aDBoWnQxanJCb05ycmNHOG1WWVJyd29YaXFIS3NSZTRVYTQ4a0YvRXVRWFZKeUZPV05KNUJjYW9xOSswa3lJdnVoeVhxNS9UL0tJTG12cFpTMzZINHJ1bFJhRm1Hb29sejBtaUl4V2FrdHFpUjF1VjhYaWtiekZFUzR2cGV5NHVKMWVBZjUyRCszL2NLY0V6V2E2KzU2VGRFQ0VKQWExWDl2Ni83UzFDZlBxaVkwN1lNMXZXdXNHcEhPQ0FSTFBDWGZ5V2ZXQytVSThPM1FkSEhRaC9XNXpzZ3RFWnVhYWhkWk9lY2VsQmtnS0NIZ1o4NTFpN2IvY25EN2VsRHlCVGJuNHFKRWhSWVRLWUNRZW82SEpFd1N5b3NhOVJrU0lpQklBaGVHaTlSRWJYY2xMY1JnR3FoMXp5Qi9JUHFmMUtXOXFMbzhzaU9wRUlUU3BOeks3NSttMlc0L2c4TjJLTGgvb1MyeGEyTXZGU0pTemdZZmpwYjlOK3pVeE5XR0xjZDVQR2J6STdkYW4yY2tKSmE2UkhLRG1WTWtqYW1ZTHh6M0ZKK29SdUFhTzFpcjMzWGViSGV6ZHErQjRKT2FweVhleGs4M1hIbG1kS211UTg1aWdqRmZPVElHMmFJc2FXcTdDL0ppZmdyK0pqdVRoSm55TVdyYkNSRTV2VkZ0MEdJYWlvR1NsYktIM1RYUnhaK0tXdXozZ3ErWXIzSWNrT1RIRUgwR0FERy9pc2lQSWV4bHJHNmRZaW43V20vUGVkRGVzd0t5TFlwVFMxejNzVGVTSXRFbXpZSERNRURzS0FsNVh5anZOalJvNzg5OHVhRW5pMWIraWpCc2p5b01EY0RFaHcxZzhseWpIZldrSjRwRitIWGpuMzJBak9qb0ZuNVIrcWM1ZWpsTVVxV0N1OUU0UWJTZWtWbmcwSW02OG9naWF5WVVDQTlZQklSd0Y5b3l2REZ5WGRJblhFOFFsZDRkYks2dUpwM2xzbERkclNWczBZQTdxRnBQY0MrWWdFZnBEa2NraXVjR2RINTFWaHYrMmJNWEpabmdNMTU0Sm0rcUJ4MGhOd1R0K1AyMGZ6ZlpueDh2TEM5c3RxZUxPVm9lNFhlZzhQS01TdFQ1ei9yRGQrZk1nTVB2MHd5bWVybEM5ajJ4L0tMYnRTQmtNa0hkTXZjWVY0cjhJNkFCV0tvNE50QmhTYk8wdUcreDUwbjdkOTFhb1R1ZmhrM3plajV1dEM0ZElGRmdFMkZXMmdvcldzSTBBT0huVXJadlgrYmJxYmFZUFMyT05XSW9wcW1hVVUrVXZPUzcwM2Q4WWtjSGFyaTdFREE1dVFKVG5xT1I1YkpieFk3U0hjWEVmMFZFeldpcGgrL0FKMmYvSzJUVUhoNjZZMnpqdnM4cHdKZURKRUQ0U080OEZHMEtOTjk3UzN5NEJMdz09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWREYXRhPjwvc2FtbDI6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==' } }, function(err, response, body) { @@ -177,7 +178,7 @@ describe('samlp (functional tests)', function () { before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5051/callback', form: { SAMLResponse: 'foo' } }, function(err, response, body) { @@ -196,10 +197,10 @@ describe('samlp (functional tests)', function () { describe('samlp request', function () { var r, bod; - + before(function (done) { request.get({ - jar: request.jar(), + jar: request.jar(), followRedirect: false, uri: 'http://localhost:5051/login' }, function (err, resp, b){ @@ -215,11 +216,31 @@ describe('samlp (functional tests)', function () { .to.equal(302); }); - it('should have SAMLRequest querystring', function(){ + it('should have SAMLRequest querystring', function(done){ expect(r.headers.location.split('?')[0]) .to.equal(server.identityProviderUrl); var querystring = qs.parse(r.headers.location.split('?')[1]); expect(querystring).to.have.property('SAMLRequest'); + var SAMLRequest = querystring.SAMLRequest; + + zlib.inflateRaw(new Buffer(SAMLRequest, 'base64'), function (err, buffer) { + if (err) return done(err); + var request = buffer.toString(); + var doc = new xmldom.DOMParser().parseFromString(request); + + expect(doc.documentElement.getAttribute('ProtocolBinding')) + .to.equal('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'); + + expect(doc.documentElement.getAttribute('Version')) + .to.equal('2.0'); + + expect(doc.documentElement.getElementsByTagName('saml:Issuer')[0] + .getAttribute('xmlns:saml')) + .to.equal('urn:oasis:names:tc:SAML:2.0:assertion'); + + done(); + }); + }); it('should have RelayState querystring', function(){ @@ -232,12 +253,61 @@ describe('samlp (functional tests)', function () { }); + describe('samlp request with custom xml', function () { + var r, bod; + + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login-custom-request-template' + }, function (err, resp, b){ + if(err) return callback(err); + r = resp; + bod = b; + done(); + }); + }); + + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + }); + + it('should have SAMLRequest querystring', function(done){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + var SAMLRequest = querystring.SAMLRequest; + + zlib.inflateRaw(new Buffer(SAMLRequest, 'base64'), function (err, buffer) { + if (err) return done(err); + var request = buffer.toString(); + var doc = new xmldom.DOMParser().parseFromString(request); + + expect(doc.documentElement.getAttribute('Protocol')) + .to.equal('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'); + + expect(doc.documentElement.getAttribute('Version')) + .to.equal('3.0'); + + expect(doc.documentElement.getAttribute('Issuertico')) + .to.equal('https://auth0-dev-ed.my.salesforce.com'); + + done(); + }); + + }); + + }); + describe('samlp request with idp url containing querystring', function () { var r, bod; - + before(function (done) { request.get({ - jar: request.jar(), + jar: request.jar(), followRedirect: false, uri: 'http://localhost:5051/login-idp-with-querystring' }, function (err, resp, b){ @@ -276,7 +346,7 @@ describe('samlp (unit tests)', function () { var samlp = new Samlp({}); samlp.extractAssertion(samlpResponse, function (err, assertion) { if (err) { done(err); } - + var doc = new xmldom.DOMParser().parseFromString(assertion.toString()); var attributes = doc.documentElement.getElementsByTagName('saml:Attribute'); expect(attributes.length).to.equal(5); @@ -337,7 +407,7 @@ describe('samlp (unit tests)', function () { function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { request.get({ - jar: request.jar(), + jar: request.jar(), uri: samlRequestUrl }, function (err, response, b){ if(err) return callback(err); @@ -347,10 +417,10 @@ function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { var $ = cheerio.load(b); var SAMLResponse = $('input[name="SAMLResponse"]').attr('value'); var RelayState = $('input[name="RelayState"]').attr('value'); - + request.post({ - jar: request.jar(), + jar: request.jar(), uri: callbackEndpoint, form: { SAMLResponse: SAMLResponse, RelayState: RelayState } }, function(err, response, body) { From 6c40c683d9fa8a82a9d523d57b5c16e7e38a6c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 6 Jun 2014 13:48:10 -0300 Subject: [PATCH 070/203] 0.12.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3ea5ede..844eb64 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.11.0", + "version": "0.12.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 0aad2de4b8ca877cd41f411ba8348441de95e33c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Mon, 16 Jun 2014 14:41:46 -0300 Subject: [PATCH 071/203] add optional requestContext to generate the request xml --- lib/passport-wsfed-saml2/samlp.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 40c247b..f6134d2 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -48,6 +48,10 @@ Samlp.prototype = { AssertServiceURLAndDestination: assert_and_destination }; + if (options.requestContext) { + model = xtend(model, options.requestContext); + } + var SAMLRequest = trimXml(!options.requestTemplate ? templates.samlrequest(model) : supplant(options.requestTemplate, model)); if (options.deflate) { From e97148c266c0d03086d02a3849176fac8468a2d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Mon, 16 Jun 2014 14:42:05 -0300 Subject: [PATCH 072/203] 0.12.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 844eb64..fe87fa2 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.12.0", + "version": "0.12.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From f296e03da16a40a12eec6d5aa04352ee2f4459fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Mon, 16 Jun 2014 14:42:15 -0300 Subject: [PATCH 073/203] 0.13.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index fe87fa2..4a4492d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.12.1", + "version": "0.13.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From f023bc8fddfa072cbbf6a249dc15a4b7b35ec862 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Tue, 17 Jun 2014 15:39:44 -0300 Subject: [PATCH 074/203] fix issue with string interpolation --- lib/passport-wsfed-saml2/samlp.js | 10 ++++++++-- package.json | 13 +++++++------ test/fixture/samlp-server.js | 7 ++++++- test/samlp.tests.js | 3 +++ 4 files changed, 24 insertions(+), 9 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index f6134d2..2e53b65 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -15,11 +15,17 @@ var Samlp = module.exports = function Samlp (options, saml) { this._saml = saml; }; +function getProp(obj, path) { + return path.split('.').reduce(function (prev, curr) { + return prev[curr]; + }, obj); +} + var supplant = function (tmpl, o) { return tmpl.replace(/\@\@([^\@]*)\@\@/g, function (a, b) { - var r = o[b]; - return typeof r === 'string' || typeof r === 'number' ? r : a; + var r = getProp(o, b); + return typeof r === 'string' || typeof r === 'number' ? r : a; } ); }; diff --git a/package.json b/package.json index 4a4492d..dda0fef 100644 --- a/package.json +++ b/package.json @@ -19,16 +19,17 @@ }, "main": "./lib/passport-wsfed-saml2", "dependencies": { + "cryptiles": "~0.2.2", + "ejs": "~0.8.3", + "jsonwebtoken": "~0.1.0", + "lodash": "^2.4.1", "passport": "0.1.x", - "xml2js": "0.1.x", "xml-crypto": "~0.0.17", + "xml-encryption": "~0.7.2", + "xml2js": "0.1.x", "xmldom": "~0.1.19", - "xtend": "~2.0.3", - "ejs": "~0.8.3", "xpath": "0.0.5", - "cryptiles": "~0.2.2", - "jsonwebtoken": "~0.1.0", - "xml-encryption": "~0.7.2" + "xtend": "~2.0.3" }, "devDependencies": { "chai": "~1.5.0", diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 3c22f85..5f12bb5 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -26,7 +26,12 @@ passport.use('samlp-custom-request-template', new Strategy({ realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309', - requestTemplate: '' + requestTemplate: '', + requestContext: { + Foo: { + Test: 123 + } + } }, function(profile, done) { return done(null, profile); }) diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 849f766..e61e7dd 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -292,6 +292,9 @@ describe('samlp (functional tests)', function () { expect(doc.documentElement.getAttribute('Version')) .to.equal('3.0'); + expect(doc.documentElement.getAttribute('Foo')) + .to.equal('123'); + expect(doc.documentElement.getAttribute('Issuertico')) .to.equal('https://auth0-dev-ed.my.salesforce.com'); From 966f5f6400ebe6b1eb681692314452230050bcd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Tue, 17 Jun 2014 15:39:47 -0300 Subject: [PATCH 075/203] 0.13.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index dda0fef..59b9827 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.13.0", + "version": "0.13.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 0b3857b05041987a0f0703806fdcc739f0888728 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Tue, 17 Jun 2014 15:42:01 -0300 Subject: [PATCH 076/203] remove lodash dep --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 59b9827..426eac1 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,6 @@ "cryptiles": "~0.2.2", "ejs": "~0.8.3", "jsonwebtoken": "~0.1.0", - "lodash": "^2.4.1", "passport": "0.1.x", "xml-crypto": "~0.0.17", "xml-encryption": "~0.7.2", From c54ead18e955c18ae7403ed61fad9ab0f792b491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Tue, 17 Jun 2014 15:42:06 -0300 Subject: [PATCH 077/203] 0.13.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 426eac1..e692e0d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.13.1", + "version": "0.13.2", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 6df17881d737b7633e455a21bb188eb8610f8b1f Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 1 Jul 2014 15:03:40 -0700 Subject: [PATCH 078/203] return authnContext as another attribute of the user --- lib/passport-wsfed-saml2/saml.js | 12 ++++++++++++ test/saml20.tests.js | 33 ++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 5ffbdcc..ab309f7 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -135,8 +135,15 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { return attributeValues; } + function getAuthContext20(samlAssertion) { + var authnContext = xpath.select("//*[local-name(.)='AuthnStatement']/*[local-name(.)='AuthnContext']/*[local-name(.)='AuthnContextClassRef']", samlAssertion); + if (authnContext.length === 0) return; + return authnContext[0].textContent; + } + var profile = {}; var nameId; + var authContext; var attributes = getAttributes(samlAssertion); if (version === '2.0') { for (var index in attributes) { @@ -149,6 +156,11 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { if (nameId) { profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = nameId; } + + authContext = getAuthContext20(samlAssertion); + if (authContext) { + profile['http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod'] = authContext; + } } else { if (attributes) { diff --git a/test/saml20.tests.js b/test/saml20.tests.js index ba27851..ab8fe0c 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -82,4 +82,37 @@ describe('saml 2.0 assertion', function () { }); + it('should extract authentication context from assertion as a user prop', function (done) { + + var options = { + cert: fs.readFileSync(__dirname + '/test-auth0.pem'), + key: fs.readFileSync(__dirname + '/test-auth0.key'), + issuer: 'urn:issuer', + lifetimeInSeconds: 600, + audiences: 'urn:myapp', + attributes: { + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'сообщить@bar.com', + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'сообщить вКонтакте' + }, + nameIdentifier: 'вКонтакте', + nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' + }; + + var signedAssertion = saml20.create(options); + + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { + if (error) return done(error); + + assert.ok(profile); + assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', profile['http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod']); + + done(); + }); + + }); + + + }); From b3958ea8770b56ec2ebf99ce0950db76f4c4d086 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 1 Jul 2014 15:04:04 -0700 Subject: [PATCH 079/203] 0.14.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e692e0d..7b3a717 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.13.2", + "version": "0.14.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From dd70863b94556fc3eec87d6283bb84c3d0b8442b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Wed, 2 Jul 2014 16:06:49 -0300 Subject: [PATCH 080/203] add sessionIndex as another attribute --- lib/passport-wsfed-saml2/saml.js | 43 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index ab309f7..3cd1829 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -48,11 +48,11 @@ SAML.prototype.validateSignature = function (xml, options, callback) { var der = new Buffer(base64cer, 'base64').toString('binary'); shasum.update(der); self.calculatedThumbprint = shasum.digest('hex'); - + return self.certToPEM(base64cer); } } - + return self.certToPEM(options.cert); } }; @@ -82,7 +82,7 @@ SAML.prototype.validateExpiration = function (samlAssertion, version) { var notBefore = new Date(conditions[0].getAttribute('NotBefore')); notBefore = notBefore.setMinutes(notBefore.getMinutes() - 10); // 10 minutes clock skew - + var notOnOrAfter = new Date(conditions[0].getAttribute('NotOnOrAfter')); notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 10); // 10 minutes clock skew var now = new Date(); @@ -111,6 +111,13 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { return attributes; } + function getSessionIndex(samlAssertion) { + var authnStatement = xpath.select("//*[local-name(.)='AuthnStatement']", samlAssertion); + var sessionIndex = authnStatement.length > 0 && authnStatement[0].attributes.length > 0 ? + authnStatement[0].getAttribute('SessionIndex') : undefined; + return sessionIndex || undefined; + } + function getNameID20(samlAssertion) { var nameId = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='NameID']", samlAssertion); if (nameId.length === 0) return; @@ -129,9 +136,9 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { for (var i = 0; i 0) issuer = issuerNode[0].textContent; } else { From ce2d6d97461819de867d8a2f7f699c87f857e2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Wed, 2 Jul 2014 16:07:37 -0300 Subject: [PATCH 081/203] 0.15.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 7b3a717..942596d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.14.0", + "version": "0.15.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 0462e186f9b7db45d0a08c7eb1036f84593ba317 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 4 Jul 2014 17:34:14 -0300 Subject: [PATCH 082/203] add nameIdAttributes in the profile --- lib/passport-wsfed-saml2/saml.js | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 3cd1829..b2e12cf 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -121,7 +121,21 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { function getNameID20(samlAssertion) { var nameId = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='NameID']", samlAssertion); if (nameId.length === 0) return; - return nameId[0].textContent; + var element = nameId[0]; + var result = { + value: element.textContent, + }; + + ['NameQualifier', + 'SPNameQualifier', + 'Format', + 'SPProvidedID'].forEach(function(key) { + var value = element.getAttribute(key); + if (!value) return; + result[key] = element.getAttribute(key); + }); + + return result; } function getNameID11(samlAssertion) { @@ -161,8 +175,12 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { } nameId = getNameID20(samlAssertion); + if (nameId) { - profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = nameId; + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = nameId.value; + if(Object.keys(nameId).length > 1) { + profile['nameIdAttributes'] = nameId; + } } authContext = getAuthContext20(samlAssertion); From ec850d9cb3d3ce8fbfa07452fa08fd574d6cf578 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Fri, 4 Jul 2014 17:34:22 -0300 Subject: [PATCH 083/203] 0.16.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 942596d..af2fbdc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.15.0", + "version": "0.16.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 5de683493be50799be4e8b8aceb99ebb0438dcca Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 14 Jul 2014 19:13:28 -0300 Subject: [PATCH 084/203] update to latest jsonwebtoken --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index af2fbdc..1043e60 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "dependencies": { "cryptiles": "~0.2.2", "ejs": "~0.8.3", - "jsonwebtoken": "~0.1.0", + "jsonwebtoken": "~0.4.1", "passport": "0.1.x", "xml-crypto": "~0.0.17", "xml-encryption": "~0.7.2", From d88bac47a390f375dd8d824bc904e7bf93327ce4 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Mon, 14 Jul 2014 19:13:38 -0300 Subject: [PATCH 085/203] 0.16.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 1043e60..dcdf8d9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.16.0", + "version": "0.16.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 1a7e9ead2cd782f5559b5e0ebeee8a13d49b96a4 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 12 Aug 2014 00:24:54 -0300 Subject: [PATCH 086/203] update xml-crypto that has a fix to replace crlf with lf only --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index dcdf8d9..4907caf 100644 --- a/package.json +++ b/package.json @@ -23,7 +23,7 @@ "ejs": "~0.8.3", "jsonwebtoken": "~0.4.1", "passport": "0.1.x", - "xml-crypto": "~0.0.17", + "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", "xml-encryption": "~0.7.2", "xml2js": "0.1.x", "xmldom": "~0.1.19", From 646fa67468f443957401131ccb692a6d22193cb1 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 12 Aug 2014 00:25:05 -0300 Subject: [PATCH 087/203] 0.17.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 4907caf..74a9a9a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.16.1", + "version": "0.17.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From e1ef74a3999a9e8a4e1c330515a01f4544136824 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 12 Aug 2014 10:40:30 -0300 Subject: [PATCH 088/203] add test and fix for assertion containing \r\n --- lib/passport-wsfed-saml2/saml.js | 3 +++ test/interop.tests.js | 29 ++++++++++++++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index b2e12cf..a6141df 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -7,6 +7,8 @@ var xmldom = require('xmldom'); var xpath = require('xpath'); var cryptiles = require('cryptiles'); +var ELEMENT_NODE = 1; + var SAML = function (options) { this.options = options; @@ -148,6 +150,7 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { if (!attribute || attribute.childNodes.length === 0) return; var attributeValues = []; for (var i = 0; i Date: Tue, 12 Aug 2014 10:40:38 -0300 Subject: [PATCH 089/203] 0.18.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 74a9a9a..b971b68 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.17.0", + "version": "0.18.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 56d664a42aecd30d68a5aad2e33624615fcce1d1 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Tue, 12 Aug 2014 13:30:42 -0300 Subject: [PATCH 090/203] 0.18.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b971b68..376243a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.18.0", + "version": "0.18.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 3645a6f9b38a68720459b872b3a45adc1dbb50ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Mon, 18 Aug 2014 10:25:02 -0300 Subject: [PATCH 091/203] add ForceAuthn and an Auth0 example --- examples/auth0/app.js | 90 +++++++++++++++++++ examples/auth0/package.json | 10 +++ examples/auth0/views/account.ejs | 2 + examples/auth0/views/index.ejs | 5 ++ examples/auth0/views/layout.ejs | 21 +++++ lib/passport-wsfed-saml2/saml.js | 1 + lib/passport-wsfed-saml2/samlp.js | 1 + .../templates/samlrequest.ejs | 2 +- 8 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 examples/auth0/app.js create mode 100644 examples/auth0/package.json create mode 100644 examples/auth0/views/account.ejs create mode 100644 examples/auth0/views/index.ejs create mode 100644 examples/auth0/views/layout.ejs diff --git a/examples/auth0/app.js b/examples/auth0/app.js new file mode 100644 index 0000000..3f60810 --- /dev/null +++ b/examples/auth0/app.js @@ -0,0 +1,90 @@ +var express = require('express'); +var passport = require('passport'); +var Strategy = require('../../lib/passport-wsfed-saml2/index').Strategy; +var http = require('http'); + +passport.serializeUser(function(user, done) { + done(null, user); +}); + +passport.deserializeUser(function(id, done) { + done(null, id); +}); + +passport.use(new Strategy( + { + protocol: 'samlp', + path: '/login/callback', + realm: 'urn:saml-example', + homeRealm: '', + // identityProviderUrl: 'https://mdocs.auth0.com/samlp/dVrQZOG4gkBhzcLartSgW2v7kSnvW5XR?connection=github', + // thumbprint: 'c5b930896e3f4e2cc1d6d1ceb68f4d3de90deee6' + identityProviderUrl: 'https://login0.myauth0.com/samlp/wklezTET2P3iYA54Sraju8qFN0ohdI0G', + thumbprint: 'dba77ba142ff38d5076b4310700709c470d53790' + }, function(profile, done) { + console.log("Auth with", profile); + if (!profile.email) { + return done(new Error("No email found"), null); + } + done(null, profile); + } +)); + +var app = express(); + +// configure Express +app.configure(function() { + app.set('views', __dirname + '/views'); + app.set('view engine', 'ejs'); + app.use(express.logger()); + app.use(express.cookieParser()); + app.use(express.bodyParser()); + app.use(express.methodOverride()); + app.use(express.session({ secret: 'keyboard cat' })); + app.use(passport.initialize()); + app.use(passport.session()); + app.use(app.router); + app.use(express.static(__dirname + '/../../public')); +}); + + +app.get('/', function(req, res){ + res.render('index', { user: req.user }); +}); + +app.get('/account', ensureAuthenticated, function(req, res){ + res.render('account', { user: req.user }); +}); + +app.get('/login', + passport.authenticate('wsfed-saml2', { failureRedirect: '/', forceAuthn: true }), + function(req, res) { + res.redirect('/'); + } +); + +app.post('/login/callback', + passport.authenticate('wsfed-saml2', { failureRedirect: '/' }), + function(req, res) { + res.redirect('/'); + } +); + +app.get('/logout', function(req, res){ + req.logout(); + res.redirect('/'); +}); + +http.createServer(app).listen(3000, function () { + console.log("Server listening in http://localhost:3000"); +}); + +// Simple route middleware to ensure user is authenticated. +// Use this route middleware on any resource that needs to be protected. If +// the request is authenticated (typically via a persistent login session), +// the request will proceed. Otherwise, the user will be redirected to the +// login page. +function ensureAuthenticated(req, res, next) { + if (req.isAuthenticated()) { return next(); } + res.redirect('/login'); +} \ No newline at end of file diff --git a/examples/auth0/package.json b/examples/auth0/package.json new file mode 100644 index 0000000..7a3e06f --- /dev/null +++ b/examples/auth0/package.json @@ -0,0 +1,10 @@ +{ + "name": "passport-azure-acs-sample", + "version": "0.0.0", + "dependencies": { + "express": ">= 0.0.0", + "ejs": ">= 0.0.0", + "passport": ">= 0.0.0", + "passport-azure-acs": ">= 0.0.0" + } +} diff --git a/examples/auth0/views/account.ejs b/examples/auth0/views/account.ejs new file mode 100644 index 0000000..758ba25 --- /dev/null +++ b/examples/auth0/views/account.ejs @@ -0,0 +1,2 @@ +

ID: <%= user.id %>

+

Name: <%= user.displayName %>

diff --git a/examples/auth0/views/index.ejs b/examples/auth0/views/index.ejs new file mode 100644 index 0000000..7ee22e2 --- /dev/null +++ b/examples/auth0/views/index.ejs @@ -0,0 +1,5 @@ +<% if (!user) { %> +

Welcome! Please log in.

+<% } else { %> +

Hello, <%= user.email %>.

+<% } %> \ No newline at end of file diff --git a/examples/auth0/views/layout.ejs b/examples/auth0/views/layout.ejs new file mode 100644 index 0000000..d7df87e --- /dev/null +++ b/examples/auth0/views/layout.ejs @@ -0,0 +1,21 @@ + + + + Passport-Windows Azure Access Control Service Example + + + <% if (!user) { %> +

+ Home | + Log In +

+ <% } else { %> +

+ Home | + Account | + Log Out +

+ <% } %> + <%- body %> + + \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index a6141df..0fa7218 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -250,6 +250,7 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { } if (self.options.checkAudience && !self.validateAudience(samlAssertion, self.options.realm, version)) { + console.log('Audience is invalid. Configured: ' + self.options.realm); return callback(new Error('Audience is invalid. Configured: ' + self.options.realm), null); } diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 2e53b65..b173f8a 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -51,6 +51,7 @@ Samlp.prototype = { IssueInstant: generateInstant(), Issuer: options.realm, ProtocolBinding: options.protocolBinding, + ForceAuthn: options.forceAuthn, AssertServiceURLAndDestination: assert_and_destination }; diff --git a/lib/passport-wsfed-saml2/templates/samlrequest.ejs b/lib/passport-wsfed-saml2/templates/samlrequest.ejs index 00e6c86..4799914 100644 --- a/lib/passport-wsfed-saml2/templates/samlrequest.ejs +++ b/lib/passport-wsfed-saml2/templates/samlrequest.ejs @@ -1,7 +1,7 @@ ID="<%= ID %>" - IssueInstant="<%= IssueInstant %>" + IssueInstant="<%= IssueInstant %>"<% if (ForceAuthn) { %> ForceAuthn="true"<% } %> ProtocolBinding="<%= ProtocolBinding %>" Version="2.0"> <%= Issuer %> \ No newline at end of file From 2712f7c93a3ad1a3573a90e1be460a8e86e39384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Mon, 18 Aug 2014 10:25:05 -0300 Subject: [PATCH 092/203] 0.19.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 376243a..5e67b87 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.18.1", + "version": "0.19.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From c0f2e819bfe68a99ebf859b392ccd5f5021f2615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Tue, 30 Dec 2014 15:44:12 -0300 Subject: [PATCH 093/203] update jsonwebtoken --- lib/passport-wsfed-saml2/strategy.js | 14 +++++++------- package.json | 2 +- test/jwt.tests.js | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 3cea29e..ef65752 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -28,16 +28,16 @@ function Strategy (options, verify) { this._saml = new saml.SAML(this.options); this._samlp = new samlp(this.options, this._saml); } else { - this._jwt = this.options.jwt; + this._jwt = this.options.jwt; } this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); } util.inherits(Strategy, passport.Strategy); -Strategy.prototype._authenticate_saml = function (req) { +Strategy.prototype._authenticate_saml = function (req) { var self = this; - + if (req.body.wresult.indexOf('<') === -1) { return self.fail('wresult should be a valid xml', 400); } @@ -115,11 +115,11 @@ Strategy.prototype.authenticate = function (req, opts) { return self.fail('SAMLResponse should be a valid xml', 400); } - // We have a response, get the user identity out of it + // We have a response, get the user identity out of it var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { if (err) return self.fail(err, 400); - + var verified = function (err, user, info) { if (err) return self.error(err); @@ -144,14 +144,14 @@ Strategy.prototype.authenticate = function (req, opts) { case 'wsfed': executeWsfed(req, this.options); break; - case 'samlp': + case 'samlp': executeSamlp(req, this.options); break; default: throw new Error('not supported protocol: ' + protocol); } - + }; Strategy.prototype.authorizationParams = function(options) { diff --git a/package.json b/package.json index 5e67b87..d391604 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "dependencies": { "cryptiles": "~0.2.2", "ejs": "~0.8.3", - "jsonwebtoken": "~0.4.1", + "jsonwebtoken": "~3.2.0", "passport": "0.1.x", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", "xml-encryption": "~0.7.2", diff --git a/test/jwt.tests.js b/test/jwt.tests.js index 1861756..09d216f 100644 --- a/test/jwt.tests.js +++ b/test/jwt.tests.js @@ -18,7 +18,7 @@ var s = new Strategy({ }); describe('jwt support', function () { - + it('should work', function (done) { s.success = function (user) { expect(user.foo).to.equal('bar'); @@ -28,8 +28,8 @@ describe('jwt support', function () { s.fail = done; s.error = done; - var token = jwt.sign({ - foo: 'bar' + var token = jwt.sign({ + foo: 'bar' }, cert.key, { algorithm: 'RS256'}); var req = { From 14570e8c4d9bbce63626194ccdad3197dfa4fec6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Tue, 30 Dec 2014 15:44:15 -0300 Subject: [PATCH 094/203] 1.0.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d391604..754c073 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "0.19.0", + "version": "1.0.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 4bac11cf12f4fb0a309ee13944fd1a97dd2ea072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Tue, 30 Dec 2014 16:00:11 -0300 Subject: [PATCH 095/203] minor --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 663b27a..b3d4c98 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,5 @@ language: node_js +before_install: npm i -g npm@1.4.28 node_js: - 0.8 - 0.10 \ No newline at end of file From b34f8e2aaba65e3ee5385973ceba26a40913103b Mon Sep 17 00:00:00 2001 From: Mithun Patel Date: Mon, 19 Jan 2015 13:46:51 -0600 Subject: [PATCH 096/203] Updated to use Express ^4.11 --- examples/login/app.js | 46 +++++++++++++++++++++++++------------ examples/login/package.json | 12 ++++++---- 2 files changed, 39 insertions(+), 19 deletions(-) diff --git a/examples/login/app.js b/examples/login/app.js index 14c2faa..d64f4fa 100644 --- a/examples/login/app.js +++ b/examples/login/app.js @@ -1,8 +1,19 @@ +// var express = require('express') +// , passport = require('passport') +// , util = require('util') +// , wsfedsaml2 = require('../../lib/passport-wsfed-saml2/index').Strategy +// , fs = require('fs'); + var express = require('express') , passport = require('passport') , util = require('util') , wsfedsaml2 = require('../../lib/passport-wsfed-saml2/index').Strategy - , fs = require('fs'); + , fs = require('fs') + , morgan = require('morgan') + , cookieParser = require('cookie-parser') + , bodyParser = require('body-parser') + , methodOverride = require('method-override') + , session = require('express-session'); var users = [ { id: 1, givenName: 'matias', email: 'matias@auth10.com' } @@ -68,22 +79,27 @@ passport.use(new wsfedsaml2( } )); -var app = express.createServer(); +var app = express(); +var router = express.Router(); // configure Express -app.configure(function() { - app.set('views', __dirname + '/views'); - app.set('view engine', 'ejs'); - app.use(express.logger()); - app.use(express.cookieParser()); - app.use(express.bodyParser()); - app.use(express.methodOverride()); - app.use(express.session({ secret: 'keyboard cat' })); - app.use(passport.initialize()); - app.use(passport.session()); - app.use(app.router); - app.use(express.static(__dirname + '/../../public')); -}); +app.set('views', __dirname + '/views'); +app.set('view engine', 'ejs'); +app.use(morgan('combined')); +app.use(cookieParser()); +app.use(bodyParser.urlencoded({ + extended: true +})); +app.use(methodOverride()); +app.use(session({ + secret: 'keyboard cat', + resave: false, + saveUninitialized: true +})); +app.use(passport.initialize()); +app.use(passport.session()); +app.use('', router); +app.use(express.static(__dirname + '/../../public')); app.get('/', function(req, res){ diff --git a/examples/login/package.json b/examples/login/package.json index 7a3e06f..1b98462 100644 --- a/examples/login/package.json +++ b/examples/login/package.json @@ -2,9 +2,13 @@ "name": "passport-azure-acs-sample", "version": "0.0.0", "dependencies": { - "express": ">= 0.0.0", - "ejs": ">= 0.0.0", - "passport": ">= 0.0.0", - "passport-azure-acs": ">= 0.0.0" + "body-parser": "^1.10.1", + "cookie-parser": "^1.3.3", + "ejs": "^2.1.4", + "express": "^4.11.0", + "express-session": "^1.10.1", + "method-override": "^2.3.1", + "morgan": "^1.5.1", + "passport": ">= 0.0.0" } } From a81851e39f4d91db1cf7d7fe7f86b8bc7fd7962b Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 21 Jan 2015 11:53:05 -0300 Subject: [PATCH 097/203] handle error when RequestedSecurityToken is not part of wresult --- lib/passport-wsfed-saml2/strategy.js | 4 ++++ lib/passport-wsfed-saml2/wsfederation.js | 4 ++-- test/wsfed.tests.js | 22 ++++++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index ef65752..a80aa31 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -43,6 +43,10 @@ Strategy.prototype._authenticate_saml = function (req) { } var token = self._wsfed.extractToken(req); + if (!token) { + return self.fail('missing RequestedSecurityToken element', 400); + } + self._saml.validateSamlAssertion(token, function (err, profile) { if (err) { return self.error(err); diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index fac4372..1521e3e 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -29,9 +29,9 @@ WsFederation.prototype = { extractToken: function(req) { var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']); - var token = doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0].firstChild; + var token = doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0]; - return token; + return token && token.firstChild; } }; diff --git a/test/wsfed.tests.js b/test/wsfed.tests.js index b2c36cf..4875df9 100644 --- a/test/wsfed.tests.js +++ b/test/wsfed.tests.js @@ -58,6 +58,28 @@ describe('wsfed', function () { }); + describe('wresult without RequestedSecurityToken', function () { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5050/callback', + form: { wresult: '' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should return a 400', function(){ + expect(r.statusCode) + .to.equal(400); + }); + }); + describe('missing wresult in POST', function () { var user, r, bod, $; From 66f7de18f35dd2d65336444a7ac9d20fd6398ec8 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 21 Jan 2015 11:53:16 -0300 Subject: [PATCH 098/203] 1.0.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 754c073..44b9458 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.0.0", + "version": "1.0.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From e8f046e588e0cb4c4b17628e7810896347d47479 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 12 Mar 2015 13:02:27 -0300 Subject: [PATCH 099/203] support array of thumbprints --- examples/auth0/app.js | 2 +- examples/login/app.js | 2 +- lib/passport-wsfed-saml2/saml.js | 23 ++++++++++++++++------- lib/passport-wsfed-saml2/samlp.js | 11 +++++++++-- test/fixture/samlp-server.js | 20 ++++++++++---------- test/fixture/wsfed-server.js | 2 +- test/interop.tests.js | 10 +++++----- test/saml11.tests.js | 7 +++---- 8 files changed, 46 insertions(+), 31 deletions(-) diff --git a/examples/auth0/app.js b/examples/auth0/app.js index 3f60810..418e732 100644 --- a/examples/auth0/app.js +++ b/examples/auth0/app.js @@ -20,7 +20,7 @@ passport.use(new Strategy( // identityProviderUrl: 'https://mdocs.auth0.com/samlp/dVrQZOG4gkBhzcLartSgW2v7kSnvW5XR?connection=github', // thumbprint: 'c5b930896e3f4e2cc1d6d1ceb68f4d3de90deee6' identityProviderUrl: 'https://login0.myauth0.com/samlp/wklezTET2P3iYA54Sraju8qFN0ohdI0G', - thumbprint: 'dba77ba142ff38d5076b4310700709c470d53790' + thumbprints: ['dba77ba142ff38d5076b4310700709c470d53790'] }, function(profile, done) { console.log("Auth with", profile); if (!profile.email) { diff --git a/examples/login/app.js b/examples/login/app.js index 14c2faa..d961ea2 100644 --- a/examples/login/app.js +++ b/examples/login/app.js @@ -44,7 +44,7 @@ passport.use(new wsfedsaml2( // setup either a certificate base64 encoded (cer) or just the thumbprint of the certificate if public key is embedded in the signature //cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg=' - thumbprint: 'a3cff17cbf7e793a97861390eb698d00e9598537' + thumbprints: ['a3cff17cbf7e793a97861390eb698d00e9598537'] }, function(profile, done) { console.log("Auth with", profile); diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 0fa7218..f0af123 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -12,8 +12,12 @@ var ELEMENT_NODE = 1; var SAML = function (options) { this.options = options; - if (!options.cert && !options.thumbprint) { - throw new Error('You should set either a base64 encoded certificate or the thumbprint of the certificate'); + if (this.options.thumbprint) { + this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]); + } + + if (!this.options.cert && (!this.options.thumbprints || this.options.thumbprints.length === 0)) { + throw new Error('You should set either a base64 encoded certificate or the thumbprints of the signing certificates'); } this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true; @@ -42,7 +46,7 @@ SAML.prototype.validateSignature = function (xml, options, callback) { return ""; }, getKey: function (keyInfo) { - if (options.thumbprint) { + if (options.thumbprints && options.thumbprints.length > 0) { var embeddedSignature = keyInfo[0].getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate"); if (embeddedSignature.length > 0) { var base64cer = embeddedSignature[0].firstChild.toString(); @@ -69,9 +73,14 @@ SAML.prototype.validateSignature = function (xml, options, callback) { return callback(); } - if (options.thumbprint) { - if (this.calculatedThumbprint.toUpperCase() !== options.thumbprint.toUpperCase()) { - return callback(new Error('Invalid thumbprint (configured: ' + options.thumbprint.toUpperCase() + '. calculated: ' + this.calculatedThumbprint.toUpperCase() + ')' )); + if (options.thumbprints) { + + var valid_thumbprint = options.thumbprints.some(function (thumbprint) { + return self.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase(); + }); + + if (!valid_thumbprint) { + return callback(new Error('Invalid thumbprint (configured: ' + options.thumbprints.join(', ').toUpperCase() + '. calculated: ' + this.calculatedThumbprint.toUpperCase() + ')' )); } return callback(); @@ -217,7 +226,7 @@ SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { self.validateSignature(samlAssertion, { cert: self.options.cert, - thumbprint: self.options.thumbprint, + thumbprints: self.options.thumbprints, signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) { if (err) return callback(err); diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index b173f8a..09f6598 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -10,7 +10,14 @@ var xmlenc = require('xml-encryption'); var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; this.options.protocolBinding = options.protocolBinding || 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'; - if (typeof options.deflate === 'undefined') this.options.deflate = true; + + if (this.options.thumbprint) { + this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]); + } + + if (typeof options.deflate === 'undefined') { + this.options.deflate = true; + } this._saml = saml; }; @@ -151,7 +158,7 @@ Samlp.prototype = { if (isResponseSigned) { self._saml.validateSignature(samlResponse, { cert: self.options.cert, - thumbprint: self.options.thumbprint, + thumbprints: self.options.thumbprints, signaturePath: samlResponseSignaturePath }, function (err) { diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 5f12bb5..cb91255 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -15,7 +15,7 @@ passport.use('samlp', new Strategy({ path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, - thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'] }, function(profile, done) { return done(null, profile); }) @@ -25,7 +25,7 @@ passport.use('samlp-custom-request-template', new Strategy({ path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, - thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], requestTemplate: '', requestContext: { Foo: { @@ -42,7 +42,7 @@ passport.use('samlp-idpurl-with-querystring', new Strategy( path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl + '?foo=bar', - thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'] }, function(profile, done) { return done(null, profile); @@ -54,7 +54,7 @@ passport.use('samlp-signedresponse', new Strategy( path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, - thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'] }, function(profile, done) { return done(null, profile); @@ -66,7 +66,7 @@ passport.use('samlp-signedresponse-invalidcert', new Strategy( path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, - thumbprint: '11111111111111111a5b93a43572eb2376fed309' + thumbprints: ['11111111111111111a5b93a43572eb2376fed309'] }, function(profile, done) { return done(null, profile); @@ -78,7 +78,7 @@ passport.use('samlp-invalidcert', new Strategy( path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, - thumbprint: '11111111111111111a5b93a43572eb2376fed309' + thumbprints: ['11111111111111111a5b93a43572eb2376fed309'] }, function(profile, done) { return done(null, profile); @@ -89,7 +89,7 @@ passport.use('samlp-signedresponse-signedassertion', new Strategy( { path: '/callback', realm: 'urn:auth0:login-dev3', - thumbprint: 'C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB', + thumbprints: ['C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB'], checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { @@ -101,7 +101,7 @@ passport.use('samlp-ping', new Strategy( { path: '/callback', realm: 'urn:auth0:login-dev3', - thumbprint: '44340220770a348444be34970939cff8a2d74f08', + thumbprints: ['44340220770a348444be34970939cff8a2d74f08'], checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { @@ -113,7 +113,7 @@ passport.use('samlp-okta', new Strategy( { path: '/callback', realm: 'https://auth0145.auth0.com', - thumbprint: 'a0c7dbb790e3476d3c5dd236f9f2060b1fd6e253', + thumbprints: ['a0c7dbb790e3476d3c5dd236f9f2060b1fd6e253'], checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { @@ -124,7 +124,7 @@ passport.use('samlp-okta', new Strategy( passport.use('samlp-with-utf8', new Strategy( { path: '/callback', - thumbprint: '42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031', + thumbprints: ['42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031'], decryptionKey: fs.readFileSync(path.join(__dirname, '../test-decryption.key')), checkExpiration: false, // we are using a precomputed assertion generated from a sample idp feide checkAudience: false diff --git a/test/fixture/wsfed-server.js b/test/fixture/wsfed-server.js index 3954f19..70aaae7 100644 --- a/test/fixture/wsfed-server.js +++ b/test/fixture/wsfed-server.js @@ -13,7 +13,7 @@ passport.use(new Strategy( path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: 'http://localhost:5050/login', - thumbprint: '5ca6e1202eafc0a63a5b93a43572eb2376fed309' + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'] }, function(profile, done) { return done(null, profile); diff --git a/test/interop.tests.js b/test/interop.tests.js index 56e1b21..68ad299 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -28,7 +28,7 @@ describe('interop', function () { it('should validate an assertion from office365', function (done) { var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; - var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0', + var saml_passport = new SamlPassport({thumbprints: ['3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0'], realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { @@ -156,7 +156,7 @@ describe('interop', function () { it('should validate an assertion from adfs', function (done) { var signedAssertion = 'urn:auth0:auth0john@fabrikam.comurn:oasis:names:tc:SAML:1.0:cm:bearerjohn@fabrikam.comJohn FabrikamJohnFabrikamjohn@fabrikam.comurn:oasis:names:tc:SAML:1.0:cm:bearer8Yi8+vbZagbCsopdmXFjeFvexHlkHYAViSf9w3yFbWo=SzQaNU4uo4IPJTsK3DZkYNx1FzpAoIxXyWiOMJyuUScYbvUHMjxoPsh6KJrkLwUIGnv07TpTFKrhjA/tGzLCwPMOWlpGp66N/U9wWe3vshHyW34/oAq14EwptjmXEPpHjR2P+giJAUJ0VTXIvbTsGNLuDVV/px43CoIX2D6jc8yt8VffAMX4R+WzI2a6QRMqglTbxzFEfcJC1yK9jT/UzjRIKe9bMS2T8kupDaGOWYj4XMh9BkIVXV40jJakss+cF4wjO/LWfpbwZwMzfOXBQV+W6O5X/HfTod/4zzmdFKjArx6vXQl7vCRr9AXUGgbPWdtSVK7HSMCyjZiAOGcr0Q==MIIC5DCCAcygAwIBAgIQGmfE0ae34q1IXJvpfhwYVDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSB0ZXN0LWFkZnMuYXV0aDEwLmNvbTAeFw0xMzAyMTIwMzU3MzlaFw0xNDAyMTIwMzU3MzlaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIHRlc3QtYWRmcy5hdXRoMTAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuNaTwlMjKeXVabhVQJjmjousrLuYi5hxELIQX80ZT3/kTsRUQaP6AoCMEYjofcV6QnxQeHxHJgzcy5t4bmHozIsLYlroH7PaDNqXLnX+6ivAX1nFa9IOeaw3X206oGmCSo6pJxbW8LwXjYC7BYrINitm/mgcOrypbasADvO1j+fyjkBTFPuF2+La4ehwGCKdrvZZF0lDKiHPbCI8xqH7HOgX+QLtnhK2WclDIpcPd2eeaVq1fB8XBwTXNOv2ZdaEi2i3mDXQoa8wZVozqs5h6OKVXl7hNQH2/qUDAZc15kZcR9Zcxyo5v0GtqYS3J70Q+8HkuQfYTBGR+Cum9S+bfQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAVf930SJfJquM/4A3vibsmjRuCytHeEXLrEyt0j/NBDnyLqFMoL7qILfqtK3oSmQNb6PRQiLLFJlIz7fnkj6k3hm4qpJJvjyqcxYDeW6SK8yP7zKNGMeyIMs/humVgXWALkTF6PoFIfFo2lfnHAzHqPE06WN+hcYHRBjuR5/T+58l2LH9vJjPHuceGkWXyQCB/Hd2riNElXODIBEKzzKL923rm3oPaH/Un8TYnpyRRVKLd40DiptbY/E7YpzWrOsUppjsm0pUhdvBYjihLc6PhALzoUC3GwMjUK0T70gqRoGzsiqRIjIEC35QBGKavzhya2DLTZK3Pf70eJpkp1bGL'; - var saml_passport = new SamlPassport({thumbprint: 'C9018666E764613366C20BC011D947B39BED236B', + var saml_passport = new SamlPassport({thumbprints: ['C9018666E764613366C20BC011D947B39BED236B'], realm: 'urn:auth0:auth0', checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { @@ -170,7 +170,7 @@ describe('interop', function () { it('should validate an assertion with umlats xmldom', function (done) { var signedAssertion = new Parser().parseFromString('https://aai-logon.ethz.ch/idp/shibbolethjVMwKZ5O3hXfOf6tkVan2hnPW2w=nq5nJangoli5J6uBF/sEeYyKL7+xepbsDmjT6mpggLmba6yR+lQaZmAGnti8nhZUPyXwZfZS3d9oH4upbRg56jdVVcPaZUhYOPW2T2etm7lxxaDlHDJo/E40KnBtGMn6Oxz23hXUrc6p6K4FFLCQwmsE3ZZlP/u8DcqKNl5X/D5udcCV75mjxnVKWuXu34Xw4uQEQBb+6UfGjDN1/91M6U3ZZ0iOSRsBC7+SYLVMbDZqGveioKjZMPBuHmoBwQxsCixu1var3LNyCFVRo0LV9qA5DhA5lyH209+kFsN9vqzHKkiOF+Wua+Ngh2oR/48CWfTOjDuvRpje1bICIwwCQg==MIIFjzCCBHegAwIBAgIUZ+QtvaEucMtOcruHlzQrEDH92FMwDQYJKoZIhvcNAQEFBQAwazELMAkG\nA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAdBgNVBAsTFnd3dy5xdW92YWRp\nc2dsb2JhbC5jb20xIDAeBgNVBAMTF1F1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBMB4XDTEzMDQxNzA4\nMDYwNFoXDTE1MDQxNzA4MDYwNFowYzELMAkGA1UEBhMCQ0gxEDAOBgNVBAgTB1p1ZXJpY2gxEDAO\nBgNVBAcTB1p1ZXJpY2gxFDASBgNVBAoTC0VUSCBadWVyaWNoMRowGAYDVQQDExFhYWktbG9nb24u\nZXRoei5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOJWLI4vWx5HnqUvkBDm5Egp\nUg8yOlL3HbS0Y62/k77R2W9wxNczcR79wUBl2cNDCF/LxzdY1ml2u2skbZy4tqtmcvHVrwM5RVDb\n3jpjUhzBlD5rkpxgut2zFmNsahXzceD9dzsTvq7MUq6YgW6iRY3wNbes7ZgRtdkCz+vbiB52iTES\nZ2lo6fBn69eiqywUhQ5t/K4jGqpSUf1DITz//lMWRveagVyUq342JONxo93nt6x6ewGg+Qo8yCuC\nj4VehpncHYV0oNI2sSncKPm23Z4TNxPDalSaq8R5nKhueG+FHX7Ks8hWYSf42m2rrZLTumv2Ry8H\nFrPFkI7kuSFwVRECAwEAAaOCAjEwggItMHQGCCsGAQUFBwEBBGgwZjAqBggrBgEFBQcwAYYeaHR0\ncDovL29jc3AucXVvdmFkaXNnbG9iYWwuY29tMDgGCCsGAQUFBzAChixodHRwOi8vdHJ1c3QucXVv\ndmFkaXNnbG9iYWwuY29tL3F2c3NsaWNhLmNydDCBtQYDVR0RBIGtMIGqghFhYWktbG9nb24uZXRo\nei5jaIIPdmNpcGhlci5ldGh6LmNogg92Y2Flc2FyLmV0aHouY2iCD3ZjdXJ0ZXIuZXRoei5jaIIP\ndmNvcHBlci5ldGh6LmNogg92Y2Vuc29yLmV0aHouY2iCEmxkYXBzLWluZm8uZXRoei5jaIIPbGlu\ndGVzdC5ldGh6LmNogRt2bGFkaXNsYXYubmVzcG9yQGlkLmV0aHouY2gwUQYDVR0gBEowSDBGBgwr\nBgEEAb5YAAJkAQEwNjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5jb20v\ncmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMB8GA1UdIwQYMBaAFDJNoU/q8K6Ztu6bByyECBFQi+J+MDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6\nLy9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2c3NsaWNhLmNybDAdBgNVHQ4EFgQUUrfY5AJdnN5W\n9TTyrVObbQEoH/cwDQYJKoZIhvcNAQEFBQADggEBAJHQIjLbalw9LF9wIjhhOsEsaf/Bd8dSKcb2\nICLC16TyetuTTJfqHqHr3QiAcrSNKOxqoFBX51t7oNyd3n1BGxJeYmpoyKHKmViUF9mJWBKxSvfW\njmYA7M/LptNX+aUz0fPntCokjH5pPAk3n5YYf2gTFOmRbZDdvNxQ0+o5EkRKkxLDAYM7HlJshWfK\nyY8ZKiPSx28ebXORGzW/VC5VunURFPmhvy5hUFo2qFhGhkQZD1Tg5uN+vd7KywgXLiQKWFDweOxY\nkFuTatM9peWNaapAuaYL8D6q/pn6q76cDKiMjTLp1siQsVVzFAZNjywOve5tdqB/Qo7zwX7TggF1\nmrQ=_e132eb870c4a912c56e1bafeb5257b35urn:auth0:fmi-testurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransportmemberstaffstudentGnüggeRobertethz.ch187624@ethz.chuniversity37J7PjSu8hkThPDMZOfZLtca0Ag=robert.gnuegge@bsse.ethz.ch'); - var saml_passport = new SamlPassport({thumbprint: '42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031', + var saml_passport = new SamlPassport({thumbprints: ['42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031'], realm: 'urn:auth0:fmi-test', checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { @@ -184,7 +184,7 @@ describe('interop', function () { it('should validate an assertion with \\r\\n', function (done) { var response = 'PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERl\r\nc3RpbmF0aW9uPSJodHRwczovL3B3Y3Rlc3QuYXV0aDAuY29tL2xvZ2luL2NhbGxiYWNrP2Nvbm5l\r\nY3Rpb249U2l0ZW1pbmRlckRldiIgSUQ9Il9iOTRmZjU0ZmM5OWQzNDMwMDQyMWZiZGMzMjFjNjMz\r\nNmVjNWQiIEluUmVzcG9uc2VUbz0iXzRhZjhhZGQwZTc2YTIwNzI2Njg0IiBJc3N1ZUluc3RhbnQ9\r\nIjIwMTQtMDgtMTJUMDM6MTg6NTFaIiBWZXJzaW9uPSIyLjAiPg0KICAgIDxuczE6SXNzdWVyIHht\r\nbG5zOm5zMT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgRm9ybWF0PSJ1\r\ncm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8v\r\ncGFydG5lcnNoaXAtZGV2LnB3Y2ludGVybmFsLmNvbTwvbnMxOklzc3Vlcj4NCiAgICA8U3RhdHVz\r\nPg0KICAgICAgICA8U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4w\r\nOnN0YXR1czpTdWNjZXNzIi8+DQogICAgPC9TdGF0dXM+DQogICAgPG5zMjpBc3NlcnRpb24geG1s\r\nbnM6bnMyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzEyODkx\r\nNGVhM2FiYmJlM2IxNzgzYzY4OWNiZWI3NzViNTQ4MiIgSXNzdWVJbnN0YW50PSIyMDE0LTA4LTEy\r\nVDAzOjE4OjUxWiIgVmVyc2lvbj0iMi4wIj4NCiAgICAgICAgPG5zMjpJc3N1ZXIgRm9ybWF0PSJ1\r\ncm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8v\r\ncGFydG5lcnNoaXAtZGV2LnB3Y2ludGVybmFsLmNvbTwvbnMyOklzc3Vlcj48ZHM6U2lnbmF0dXJl\r\nIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCjxkczpTaWdu\r\nZWRJbmZvPg0KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3\r\nLnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4NCjxkczpTaWduYXR1cmVNZXRob2QgQWxn\r\nb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCjxk\r\nczpSZWZlcmVuY2UgVVJJPSIjXzEyODkxNGVhM2FiYmJlM2IxNzgzYzY4OWNiZWI3NzViNTQ4MiI+\r\nDQo8ZHM6VHJhbnNmb3Jtcz4NCjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3Lncz\r\nLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KPGRzOlRyYW5zZm9y\r\nbSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0K\r\nPC9kczpUcmFuc2Zvcm1zPg0KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cu\r\ndzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+DQo8ZHM6RGlnZXN0VmFsdWU+cFV1aHZjMk1D\r\nVXBjQUZMbVM1a1FWR0tCbzhFPTwvZHM6RGlnZXN0VmFsdWU+DQo8L2RzOlJlZmVyZW5jZT4NCjwv\r\nZHM6U2lnbmVkSW5mbz4NCjxkczpTaWduYXR1cmVWYWx1ZT4NCml0UHp5em4xd0IrM3IwQzRieXhV\r\nQzRBL082ZVpDOW1tUnM4c0UwTU5SbVlJVEw1NC9DTEhKMlRlbVhFb2JDMjFvVXZRRGxiSTVJRXYN\r\nCkZvSmFGVXVBVW5rcVFPalVQT1MzbERNM0dITkFkc2ZTWElmMGpGQ1B6Qno3UDlYRzBCZGU0QW9W\r\ndUgvU1J1V29qNksrV1AxSHdYOEgNClpDZVFMc1FBZGNpWTV6SlFnUEJFK24vdzRzem1veDY2Vyt6\r\nNjlRMUVrczdoNkYwQ3RBemlKOW9uR2VTUU5UKzJWelJYUEhDMndDSnUNCklQcDQ1MDJnTFlnNExk\r\ncEN0eHZNd3BiR2RLbjdZZDY1SHFrUjhZKzFMT01ibVlPYk04bWtYN2s5Uy9Cb1NBSDlybjMxUU5v\r\nSVcwbGcNCjZiQzhiRzBXcVlIblFFazN4QnY3SUt2SUFVWFNFL3VUR285dnZBPT0NCjwvZHM6U2ln\r\nbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz4NCjxkczpYNTA5RGF0YT4NCjxkczpYNTA5Q2VydGlm\r\naWNhdGU+DQpNSUlHQURDQ0JPaWdBd0lCQWdJS0hvVmR2Z0FEQUJLL2xEQU5CZ2txaGtpRzl3MEJB\r\nUVVGQURCVU1STXdFUVlLQ1pJbWlaUHlMR1FCDQpHUllEWTI5dE1STXdFUVlLQ1pJbWlaUHlMR1FC\r\nR1JZRGNIZGpNU2d3SmdZRFZRUURFeDlRY21salpYZGhkR1Z5YUc5MWMyVkRiMjl3DQpaWEp6SUVs\r\nemMzVnBibWN4TUI0WERURXpNRFV3TXpFNU16UXdORm9YRFRFMU1URXdNekU1TkRRd05Gb3dnYlF4\r\nQ3pBSkJnTlZCQVlUDQpBbFZUTVJBd0RnWURWUVFJRXdkR2JHOXlhV1JoTVE0d0RBWURWUVFIRXdW\r\nVVlXMXdZVEVqTUNFR0ExVUVDaE1hVUhKcFkyVjNZWFJsDQpjbWh2ZFhObFEyOXZjR1Z5Y3lCTVRG\r\nQXhEREFLQmdOVkJBc1RBMGRVVXpFb01DWUdBMVVFQXhNZmNHRnlkRzVsY25Ob2FYQXRaR1YyDQpM\r\nbkIzWTJsdWRHVnlibUZzTG1OdmJURW1NQ1FHQ1NxR1NJYjNEUUVKQVJZWGJtRjJhVzR1WW1oaGRH\r\nbGhRSFZ6TG5CM1l5NWpiMjB3DQpnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtB\r\nb0lCQVFDN3JDZmdDT2dzMDI5NnJ1bENROWQrQ1BNcmZEdWhuZjRNDQpnQjN2YTB5RUw3OXEvVnVO\r\nTmc4YXptWkVkQTJiME5BWEpMbzB5K1hHY2xrZVpvTTdXaEE0aWMwOUlONiszTVVFenYveXlndTdv\r\nRGhmDQpnanRwbFBoQUtXT0JxWmtPSlFadzdkekZwbHJLOGtuY21WR1EvMS9JaGtpdllLbG5tdW5F\r\nSmh5Y2Y1UTdRZWdqbno3RFZIU3V5TGdiDQp3TWczOWY2d3BvbENacnNrdThwVVB2MVZvclcxb1JH\r\nVlBibkF3VUdNemtkK1pIRHhUa0JWM1NCUnVySWtsL2tUNjdoUmZVb1V0TjFwDQpVTTJmSTJrZkJJ\r\nMzU1L0JzSXRjMVl6cWZEZk8zaHNsS1ZCOWNTL0RYeXFTdEQ5MW5xOHZBUW96QmoxaVNIN0pGOXVQ\r\nYUVZWXFIaDEvDQpWcDgvQWdNQkFBR2pnZ0p4TUlJQ2JUQWRCZ05WSFE0RUZnUVV1Z3R3NzBqRHVs\r\nY2xsMy9Wa2ZhVkFxV1NDVjh3SHdZRFZSMGpCQmd3DQpGb0FVUXFhMTM1dTZ3Y2hubmwrbmV0aStH\r\nblUvZE8wd2dnRUxCZ05WSFI4RWdnRUNNSUgvTUlIOG9JSDVvSUgyaGxCb2RIUndPaTh2DQpZMlZ5\r\nZEdSaGRHRXhMbkIzWTJsdWRHVnlibUZzTG1OdmJTOURaWEowUkdGMFlURXZVSEpwWTJWM1lYUmxj\r\nbWh2ZFhObFEyOXZjR1Z5DQpjeVV5TUVsemMzVnBibWN4TG1OeWJJWlFhSFIwY0RvdkwyTmxjblJr\r\nWVhSaE1pNXdkMk5wYm5SbGNtNWhiQzVqYjIwdlEyVnlkRVJoDQpkR0V5TDFCeWFXTmxkMkYwWlhK\r\nb2IzVnpaVU52YjNCbGNuTWxNakJKYzNOMWFXNW5NUzVqY215R1VHaDBkSEE2THk5alpYSjBaR0Yw\r\nDQpZVE11Y0hkamFXNTBaWEp1WVd3dVkyOXRMME5sY25SRVlYUmhNeTlRY21salpYZGhkR1Z5YUc5\r\nMWMyVkRiMjl3WlhKekpUSXdTWE56DQpkV2x1WnpFdVkzSnNNSUlCR2dZSUt3WUJCUVVIQVFFRWdn\r\nRU1NSUlCQ0RDQmdRWUlLd1lCQlFVSE1BS0dkV2gwZEhBNkx5OWpaWEowDQpaR0YwWVRFdWNIZGph\r\nVzUwWlhKdVlXd3VZMjl0TDBObGNuUkVZWFJoTVM5MWMzUndZVE5uZEhOallUQXpMbTVoYlM1d2Qy\r\nTnBiblJsDQpjbTVoYkM1amIyMWZVSEpwWTJWM1lYUmxjbWh2ZFhObFEyOXZjR1Z5Y3lVeU1FbHpj\r\nM1ZwYm1jeEtETXBMbU55ZERDQmdRWUlLd1lCDQpCUVVITUFLR2RXaDBkSEE2THk5alpYSjBaR0Yw\r\nWVRJdWNIZGphVzUwWlhKdVlXd3VZMjl0TDBObGNuUkVZWFJoTWk5MWMzUndZVE5uDQpkSE5qWVRB\r\nekxtNWhiUzV3ZDJOcGJuUmxjbTVoYkM1amIyMWZVSEpwWTJWM1lYUmxjbWh2ZFhObFEyOXZjR1Z5\r\nY3lVeU1FbHpjM1ZwDQpibWN4S0RNcExtTnlkREFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBcWZo\r\nd2RjN0ZKb2NkTmw5SXpNOFdtTndIZDhGS1F2ZjVKczRZDQpER21jMDh2ZDRLYjRzWW9NL01Uc1Nw\r\nbEFMczRIK3dySWZMbVFIdXBmWlRFMmVDNXRSa0F3dVpWR0I0R0o5a0cwK1E5djNZMzZvNTd3DQo2\r\naGt6QlVGSitKaWJzc2tUNUpNTXZaVnh6SG10K3Z5dmtablBWa2tKWkp1RHA3TW8rZ0daTXY4aTRV\r\nVitHWnlZQWdrS1BDUXR3dVFKDQp5aE90MG1BUDhDb1dsVys1Q2dZVjJzWDRCbUVuZW9LY1JtZXlS\r\nNDlTQ2FEOFFRWmVlcitIQ2NEenJsOWdQOGlkN1NnRTRxL3pNbUd4DQpCRW1HTUQyV0kydzJ6Nnp1\r\nd3QyUktFWnl4QUJka2V2VDk4WG5tQTI0Z0RMVXZsYzNXd2lFd2xkYW0vaVR4VW5rV0hDR2x6WnhG\r\nWXUyDQpTQT09DQo8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4NCjwvZHM6WDUwOURhdGE+DQo8L2RzOktl\r\neUluZm8+DQo8L2RzOlNpZ25hdHVyZT4NCiAgICAgICAgPG5zMjpTdWJqZWN0Pg0KICAgICAgICAg\r\nICAgPG5zMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlk\r\nLWZvcm1hdDp1bnNwZWNpZmllZCI+MTAwMDE2OTA5MTwvbnMyOk5hbWVJRD4NCiAgICAgICAgICAg\r\nIDxuczI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1M\r\nOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICAgICAgICAgIDxuczI6U3ViamVjdENvbmZpcm1hdGlv\r\nbkRhdGEgSW5SZXNwb25zZVRvPSJfNGFmOGFkZDBlNzZhMjA3MjY2ODQiIE5vdE9uT3JBZnRlcj0i\r\nMjAxNC0wOC0xMlQwMzoyMDo1MVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9wd2N0ZXN0LmF1dGgwLmNv\r\nbS9sb2dpbi9jYWxsYmFjaz9jb25uZWN0aW9uPVNpdGVtaW5kZXJEZXYiLz4NCiAgICAgICAgICAg\r\nIDwvbnMyOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgICAgIDwvbnMyOlN1YmplY3Q+DQogICAg\r\nICAgIDxuczI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDgtMTJUMDM6MTc6NTFaIiBOb3RP\r\nbk9yQWZ0ZXI9IjIwMTQtMDgtMTJUMDM6MjA6NTFaIj4NCiAgICAgICAgICAgIDxuczI6QXVkaWVu\r\nY2VSZXN0cmljdGlvbj4NCiAgICAgICAgICAgICAgICA8bnMyOkF1ZGllbmNlPnVybjphdXRoMDpw\r\nd2N0ZXN0OlNpdGVtaW5kZXJEZXY8L25zMjpBdWRpZW5jZT4NCiAgICAgICAgICAgIDwvbnMyOkF1\r\nZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDwvbnMyOkNvbmRpdGlvbnM+DQogICAgICAgIDxu\r\nczI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA4LTExVDIzOjI4OjI1WiIgU2Vz\r\nc2lvbkluZGV4PSJtKzVRKzNYbFVzUUFROURZMldocHFoRWFMNWM9YXd5OGZRPT0iIFNlc3Npb25O\r\nb3RPbk9yQWZ0ZXI9IjIwMTQtMDgtMTJUMDM6MjA6NTFaIj4NCiAgICAgICAgICAgIDxuczI6QXV0\r\naG5Db250ZXh0Pg0KICAgICAgICAgICAgICAgIDxuczI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJu\r\nOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L25zMjpBdXRobkNv\r\nbnRleHRDbGFzc1JlZj4NCiAgICAgICAgICAgIDwvbnMyOkF1dGhuQ29udGV4dD4NCiAgICAgICAg\r\nPC9uczI6QXV0aG5TdGF0ZW1lbnQ+DQogICAgICAgIDxuczI6QXR0cmlidXRlU3RhdGVtZW50Pg0K\r\nICAgICAgICAgICAgPG5zMjpBdHRyaWJ1dGUgTmFtZT0iZm5hbWUiIE5hbWVGb3JtYXQ9InVybjpv\r\nYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPg0KICAg\r\nICAgICAgICAgICAgIDxuczI6QXR0cmlidXRlVmFsdWU+UHVzaHA8L25zMjpBdHRyaWJ1dGVWYWx1\r\nZT4NCiAgICAgICAgICAgIDwvbnMyOkF0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxuczI6QXR0cmli\r\ndXRlIE5hbWU9ImxuYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6\r\nYXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj4NCiAgICAgICAgICAgICAgICA8bnMyOkF0dHJp\r\nYnV0ZVZhbHVlPkFicm9sPC9uczI6QXR0cmlidXRlVmFsdWU+DQogICAgICAgICAgICA8L25zMjpB\r\ndHRyaWJ1dGU+DQogICAgICAgICAgICA8bnMyOkF0dHJpYnV0ZSBOYW1lPSJlbWFpbCIgTmFtZUZv\r\ncm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1bnNwZWNp\r\nZmllZCI+DQogICAgICAgICAgICAgICAgPG5zMjpBdHRyaWJ1dGVWYWx1ZT5wdXNocC5hYnJvbEB1\r\ncy5wd2MuY29tPC9uczI6QXR0cmlidXRlVmFsdWU+DQogICAgICAgICAgICA8L25zMjpBdHRyaWJ1\r\ndGU+DQogICAgICAgICAgICA8bnMyOkF0dHJpYnV0ZSBOYW1lPSJwd2NndWlkIiBOYW1lRm9ybWF0\r\nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVk\r\nIj4NCiAgICAgICAgICAgICAgICA8bnMyOkF0dHJpYnV0ZVZhbHVlPnBhYnJvbDAwMTwvbnMyOkF0\r\ndHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgPC9uczI6QXR0cmlidXRlPg0KICAgICAgICA8L25z\r\nMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgPC9uczI6QXNzZXJ0aW9uPg0KPC9SZXNwb25zZT4=' var samlOptions = { - thumbprint: '6BF18C1DE16D8A6C7B79A0997EF96DEEF90CBF98', + thumbprints: ['6BF18C1DE16D8A6C7B79A0997EF96DEEF90CBF98'], realm: 'urn:auth0:pwctest:SiteminderDev', checkExpiration: false }; @@ -229,7 +229,7 @@ describe('interop', function () { // //console.log(SAMLResponse) // // done(); - // var saml_passport = new SamlPassport({thumbprint: 'ea410870b7699f08888b0b5ef0fbf11a6a157b4b', + // var saml_passport = new SamlPassport({thumbprints: ['ea410870b7699f08888b0b5ef0fbf11a6a157b4b'], // realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', // validateResponse: true, // checkExpiration: false}); // dont check expiration since we are harcoding the token diff --git a/test/saml11.tests.js b/test/saml11.tests.js index b1b033a..19a8b12 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -78,7 +78,7 @@ describe('saml 1.1 assertion', function () { it('should validate an assertion from office365', function (done) { var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; - var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0', + var saml_passport = new SamlPassport({thumbprints: ['3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0'], realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { @@ -92,12 +92,11 @@ describe('saml 1.1 assertion', function () { it('should return error if validation fails', function (done) { var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; - var saml_passport = new SamlPassport({thumbprint: '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe1', // WRONG thumbprint + var saml_passport = new SamlPassport({thumbprints: ['3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe1', '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe2'], // WRONG thumbprints realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { - - assert.ok(error.message.indexOf('Invalid thumbprint') === 0); + assert.equal('Invalid thumbprint (configured: 3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE1, 3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE2. calculated: 3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE0)', error.message); done(); }); From ac5d691fdfea3658cc72418ea19aa260d3e08bcf Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 12 Mar 2015 13:03:12 -0300 Subject: [PATCH 100/203] 1.1.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 44b9458..bbfe13a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.0.1", + "version": "1.1.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From c92bc7bd16801282a19a7fdc010519f4887188cb Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 18 Mar 2015 15:46:31 -0300 Subject: [PATCH 101/203] support signed SAMLRequest --- lib/passport-wsfed-saml2/samlp.js | 56 +++++++++++++++--- .../templates/assert_and_destination.ejs | 6 +- .../templates/samlrequest.ejs | 2 +- test/fixture/samlp-server.js | 16 ++++++ test/samlp.tests.js | 57 ++++++++++++++++--- test/utils.js | 2 +- 6 files changed, 121 insertions(+), 18 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 09f6598..1774bab 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -1,11 +1,12 @@ -var xmldom = require('xmldom'); -var xpath = require('xpath'); -var qs = require('querystring'); -var zlib = require('zlib'); -var xtend = require('xtend'); +var xmldom = require('xmldom'); +var xpath = require('xpath'); +var qs = require('querystring'); +var zlib = require('zlib'); +var xtend = require('xtend'); +var url = require('url'); +var xmlenc = require('xml-encryption'); +var SignedXml = require('xml-crypto').SignedXml; var templates = require('./templates'); -var url = require('url'); -var xmlenc = require('xml-encryption'); var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; @@ -44,6 +45,25 @@ var trimXml = function (xml) { .trim(); }; +var removeHeaders = function (cert) { + var pem = /-----BEGIN (\w*)-----([^-]*)-----END (\w*)-----/g.exec(cert.toString()); + if (pem && pem.length > 0) { + return pem[2].replace(/[\n|\r\n]/g, ''); + } + return null; +}; + +var algorithms = { + signature: { + 'rsa-sha256': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', + 'rsa-sha1': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' + }, + digest: { + 'sha256': 'http://www.w3.org/2001/04/xmlenc#sha256', + 'sha1': 'http://www.w3.org/2000/09/xmldsig#sha1' + } +}; + Samlp.prototype = { getSamlRequestUrl: function (opts, callback) { var options = xtend(opts || {}, this.options); @@ -68,6 +88,28 @@ Samlp.prototype = { var SAMLRequest = trimXml(!options.requestTemplate ? templates.samlrequest(model) : supplant(options.requestTemplate, model)); + if (options.signingKey) { + // sign SAMLRequest + var signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256'; + var digestAlgorithm = options.digestAlgorithm || 'sha256'; + var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[signatureAlgorithm] }); + sig.addReference( + "//*[local-name(.)='AuthnRequest' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']", + ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"], + algorithms.digest[digestAlgorithm]); + + sig.keyInfoProvider = { + getKeyInfo: function () { + return '' + removeHeaders(options.signingKey.cert) + ''; + } + }; + + sig.signingKey = options.signingKey.key; + sig.computeSignature(SAMLRequest); + + SAMLRequest = trimXml(sig.getSignedXml()); + } + if (options.deflate) { zlib.deflateRaw(new Buffer(SAMLRequest), function(err, buffer) { if (err) return callback(err); diff --git a/lib/passport-wsfed-saml2/templates/assert_and_destination.ejs b/lib/passport-wsfed-saml2/templates/assert_and_destination.ejs index 6e3b714..bf1eef0 100644 --- a/lib/passport-wsfed-saml2/templates/assert_and_destination.ejs +++ b/lib/passport-wsfed-saml2/templates/assert_and_destination.ejs @@ -1,4 +1,6 @@ <% if (AssertionConsumerServiceURL) { -%> - AssertionConsumerServiceURL="<%= AssertionConsumerServiceURL %>" - Destination="<%= Destination %>" + AssertionConsumerServiceURL="<%= AssertionConsumerServiceURL %>" +<% } -%> +<% if (Destination) { -%> + Destination="<%= Destination %>" <% } -%> \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/templates/samlrequest.ejs b/lib/passport-wsfed-saml2/templates/samlrequest.ejs index 4799914..9e3616f 100644 --- a/lib/passport-wsfed-saml2/templates/samlrequest.ejs +++ b/lib/passport-wsfed-saml2/templates/samlrequest.ejs @@ -1,5 +1,5 @@ + <%- AssertServiceURLAndDestination %> ID="<%= ID %>" IssueInstant="<%= IssueInstant %>"<% if (ForceAuthn) { %> ForceAuthn="true"<% } %> ProtocolBinding="<%= ProtocolBinding %>" Version="2.0"> diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index cb91255..99a1bd3 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -49,6 +49,20 @@ passport.use('samlp-idpurl-with-querystring', new Strategy( }) ); +passport.use('samlp-signedrequest', new Strategy({ + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: identityProviderUrl, + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + signingKey: { + key: fs.readFileSync(path.join(__dirname, '../test-auth0.key')), + cert: fs.readFileSync(path.join(__dirname, '../test-auth0.pem')), + } + }, function(profile, done) { + return done(null, profile); + }) +); + passport.use('samlp-signedresponse', new Strategy( { path: '/callback', @@ -193,6 +207,8 @@ module.exports.start = function(options, callback){ app.get('/login', passport.authenticate('samlp', { protocol: 'samlp', RelayState: relayState })); app.get('/login-idp-with-querystring', passport.authenticate('samlp-idpurl-with-querystring', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-signed-request', passport.authenticate('samlp-signedrequest', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-custom-request-template', passport.authenticate('samlp-custom-request-template', { protocol: 'samlp', RelayState: relayState })); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index e61e7dd..e1eb474 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -1,12 +1,13 @@ -var expect = require('chai').expect; -var server = require('./fixture/samlp-server'); +var expect = require('chai').expect; var request = require('request'); -var qs = require('querystring'); +var qs = require('querystring'); var cheerio = require('cheerio'); -var xmldom = require('xmldom'); -var Samlp = require('../lib/passport-wsfed-saml2/samlp'); -var fs = require('fs'); -var zlib = require('zlib'); +var xmldom = require('xmldom'); +var fs = require('fs'); +var zlib = require('zlib'); +var utils = require('./utils'); +var server = require('./fixture/samlp-server'); +var Samlp = require('../lib/passport-wsfed-saml2/samlp'); describe('samlp (functional tests)', function () { before(function (done) { @@ -336,6 +337,48 @@ describe('samlp (functional tests)', function () { }); + describe('samlp with signed request', function () { + var r, bod; + + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login-signed-request' + }, function (err, resp, b){ + if(err) return callback(err); + r = resp; + bod = b; + done(); + }); + }); + + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + }); + + it('should have signed SAMLRequest with valid signature', function(done){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + + var signedSAMLRequest = querystring.SAMLRequest; + + zlib.inflateRaw(new Buffer(signedSAMLRequest, 'base64'), function (err, buffer) { + if (err) return done(err); + var signedRequest = buffer.toString(); + var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); + + expect(utils.isValidSignature(signedRequest, signingCert)) + .to.equal(true); + done(); + }); + }); + + }); + }); describe('samlp (unit tests)', function () { diff --git a/test/utils.js b/test/utils.js index f5c5c26..e09fe6b 100644 --- a/test/utils.js +++ b/test/utils.js @@ -4,7 +4,7 @@ var xmlCrypto = require('xml-crypto'), exports.isValidSignature = function(assertion, cert) { var doc = new xmldom.DOMParser().parseFromString(assertion); - var signature = xmlCrypto.xpath.SelectNodes(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; + var signature = xmlCrypto.xpath(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); sig.keyInfoProvider = { getKeyInfo: function (key) { From a3dd79c56e9cbb2cacca936142872d94f2a02662 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 18 Mar 2015 15:46:40 -0300 Subject: [PATCH 102/203] 1.2.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index bbfe13a..65c6c2a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.1.0", + "version": "1.2.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 9ec1503bcca7c6e800fee96da38963795a0dea59 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 23 Mar 2015 19:59:21 -0300 Subject: [PATCH 103/203] support sign samlRequest for deflate encoding --- lib/passport-wsfed-saml2/samlp.js | 88 +++++++++++++++++---------- test/fixture/samlp-server.js | 23 ++++++- test/samlp.tests.js | 99 ++++++++++++++++++++++--------- 3 files changed, 149 insertions(+), 61 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 1774bab..39b0467 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -5,6 +5,8 @@ var zlib = require('zlib'); var xtend = require('xtend'); var url = require('url'); var xmlenc = require('xml-encryption'); +var crypto = require('crypto'); +var querystring = require('querystring'); var SignedXml = require('xml-crypto').SignedXml; var templates = require('./templates'); @@ -53,6 +55,12 @@ var removeHeaders = function (cert) { return null; }; +var sign = function (content, key, algorithm) { + var signer = crypto.createSign(algorithm.toUpperCase()); + signer.update(content); + return signer.sign(key, 'base64'); +}; + var algorithms = { signature: { 'rsa-sha256': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', @@ -68,8 +76,11 @@ Samlp.prototype = { getSamlRequestUrl: function (opts, callback) { var options = xtend(opts || {}, this.options); + var signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256'; + var digestAlgorithm = options.digestAlgorithm || 'sha256'; + var assert_and_destination = templates.assert_and_destination({ - Destination: options.identityProviderUrl, + Destination: options.identityProviderUrl, AssertionConsumerServiceURL: options.callback }); @@ -88,42 +99,57 @@ Samlp.prototype = { var SAMLRequest = trimXml(!options.requestTemplate ? templates.samlrequest(model) : supplant(options.requestTemplate, model)); - if (options.signingKey) { - // sign SAMLRequest - var signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256'; - var digestAlgorithm = options.digestAlgorithm || 'sha256'; - var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[signatureAlgorithm] }); - sig.addReference( - "//*[local-name(.)='AuthnRequest' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']", - ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"], - algorithms.digest[digestAlgorithm]); - - sig.keyInfoProvider = { - getKeyInfo: function () { - return '' + removeHeaders(options.signingKey.cert) + ''; - } - }; + if (!options.deflate) { + if (options.signingKey) { + // xml with embedded Signature + var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[signatureAlgorithm] }); + sig.addReference( + "//*[local-name(.)='AuthnRequest' and namespace-uri(.)='urn:oasis:names:tc:SAML:2.0:protocol']", + ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"], + algorithms.digest[digestAlgorithm]); + + sig.keyInfoProvider = { + getKeyInfo: function () { + return '' + removeHeaders(options.signingKey.cert) + ''; + } + }; + + sig.signingKey = options.signingKey.key; + sig.computeSignature(SAMLRequest); - sig.signingKey = options.signingKey.key; - sig.computeSignature(SAMLRequest); + SAMLRequest = trimXml(sig.getSignedXml()); + } - SAMLRequest = trimXml(sig.getSignedXml()); + return callback(null, buildUrl(new Buffer(SAMLRequest))); } - if (options.deflate) { - zlib.deflateRaw(new Buffer(SAMLRequest), function(err, buffer) { - if (err) return callback(err); + // deflate encoding (http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf - section 3.4.4.1) + zlib.deflateRaw(new Buffer(SAMLRequest), function (err, buffer) { + if (err) return callback(err); + var params = {}; - callback(null, buildUrl(buffer)); - }); - } else { - callback(null, buildUrl(new Buffer(SAMLRequest))); - } + if (options.signingKey) { + // construct the Signature: a string consisting of the concatenation of the SAMLRequest, + // RelayState (if present) and SigAlg query string parameters (each one URLencoded) + params.SAMLRequest = buffer.toString('base64'); - function buildUrl(buffer) { + if (options.RelayState) { + params.RelayState = options.RelayState; + } + + params.SigAlg = algorithms.signature[signatureAlgorithm]; + params.Signature = sign(querystring.stringify(params), options.signingKey.key, signatureAlgorithm); + } + + callback(null, buildUrl(buffer, params)); + }); + + function buildUrl(buffer, params) { var parsed = url.parse(options.identityProviderUrl, true); - var samlRequest = options.identityProviderUrl.split('?')[0] + '?' + qs.encode( xtend(parsed.query, { SAMLRequest: buffer.toString('base64'), RelayState: options.RelayState || '' })); - return samlRequest; + return options.identityProviderUrl.split('?')[0] + '?' + qs.encode(xtend(parsed.query, { + SAMLRequest: buffer.toString('base64'), + RelayState: options.RelayState || '' + }, params || {})); } }, @@ -232,4 +258,4 @@ function generateUniqueID() { function generateInstant() { var date = new Date(); return date.getUTCFullYear() + '-' + ('0' + (date.getUTCMonth()+1)).slice(-2) + '-' + ('0' + date.getUTCDate()).slice(-2) + 'T' + ('0' + date.getUTCHours()).slice(-2) + ":" + ('0' + date.getUTCMinutes()).slice(-2) + ":" + ('0' + date.getUTCSeconds()).slice(-2) + "Z"; -} \ No newline at end of file +} diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 99a1bd3..9df04e7 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -49,7 +49,7 @@ passport.use('samlp-idpurl-with-querystring', new Strategy( }) ); -passport.use('samlp-signedrequest', new Strategy({ +passport.use('samlp-signedrequest-without-deflate', new Strategy({ path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, @@ -57,7 +57,23 @@ passport.use('samlp-signedrequest', new Strategy({ signingKey: { key: fs.readFileSync(path.join(__dirname, '../test-auth0.key')), cert: fs.readFileSync(path.join(__dirname, '../test-auth0.pem')), - } + }, + deflate: false + }, function(profile, done) { + return done(null, profile); + }) +); + +passport.use('samlp-signedrequest-with-deflate', new Strategy({ + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: identityProviderUrl, + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + signingKey: { + key: fs.readFileSync(path.join(__dirname, '../test-auth0.key')), + cert: fs.readFileSync(path.join(__dirname, '../test-auth0.pem')), + }, + deflate: true }, function(profile, done) { return done(null, profile); }) @@ -207,7 +223,8 @@ module.exports.start = function(options, callback){ app.get('/login', passport.authenticate('samlp', { protocol: 'samlp', RelayState: relayState })); app.get('/login-idp-with-querystring', passport.authenticate('samlp-idpurl-with-querystring', { protocol: 'samlp', RelayState: relayState })); - app.get('/login-signed-request', passport.authenticate('samlp-signedrequest', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-signed-request-without-deflate', passport.authenticate('samlp-signedrequest-without-deflate', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-signed-request-with-deflate', passport.authenticate('samlp-signedrequest-with-deflate', { protocol: 'samlp', RelayState: relayState })); app.get('/login-custom-request-template', passport.authenticate('samlp-custom-request-template', { protocol: 'samlp', RelayState: relayState })); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index e1eb474..2785ccd 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -5,6 +5,7 @@ var cheerio = require('cheerio'); var xmldom = require('xmldom'); var fs = require('fs'); var zlib = require('zlib'); +var crypto = require('crypto'); var utils = require('./utils'); var server = require('./fixture/samlp-server'); var Samlp = require('../lib/passport-wsfed-saml2/samlp'); @@ -338,47 +339,91 @@ describe('samlp (functional tests)', function () { }); describe('samlp with signed request', function () { - var r, bod; + describe('without deflate', function () { + var r, bod; + + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login-signed-request-without-deflate' + }, function (err, resp, b){ + if(err) return callback(err); + r = resp; + bod = b; + done(); + }); + }); - before(function (done) { - request.get({ - jar: request.jar(), - followRedirect: false, - uri: 'http://localhost:5051/login-signed-request' - }, function (err, resp, b){ - if(err) return callback(err); - r = resp; - bod = b; + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + }); + + it('should have signed SAMLRequest with valid signature', function(done){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + expect(querystring.RelayState).to.equal('somestate'); + + var signedSAMLRequest = querystring.SAMLRequest; + var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); + var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); + + expect(utils.isValidSignature(signedRequest, signingCert)) + .to.equal(true); done(); }); }); - it('should redirect to idp', function(){ - expect(r.statusCode) - .to.equal(302); - }); + describe('with deflate', function () { + var r, bod; + + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login-signed-request-with-deflate' + }, function (err, resp, b){ + if(err) return callback(err); + r = resp; + bod = b; + done(); + }); + }); - it('should have signed SAMLRequest with valid signature', function(done){ - expect(r.headers.location.split('?')[0]) - .to.equal(server.identityProviderUrl); - var querystring = qs.parse(r.headers.location.split('?')[1]); - expect(querystring).to.have.property('SAMLRequest'); + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + }); - var signedSAMLRequest = querystring.SAMLRequest; + it('should have signed SAMLRequest with valid signature', function(done){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + expect(querystring).to.have.property('Signature'); + expect(querystring.RelayState).to.equal('somestate'); + expect(querystring.SigAlg).to.equal('http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'); - zlib.inflateRaw(new Buffer(signedSAMLRequest, 'base64'), function (err, buffer) { - if (err) return done(err); - var signedRequest = buffer.toString(); var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); + + var signedParams = { + SAMLRequest: querystring.SAMLRequest, + RelayState: querystring.RelayState, + SigAlg: querystring.SigAlg + }; + + var verifier = crypto.createVerify('RSA-SHA256'); + verifier.update(require('querystring').stringify(signedParams)); + var verified = verifier.verify(signingCert, querystring.Signature, 'base64'); - expect(utils.isValidSignature(signedRequest, signingCert)) - .to.equal(true); + expect(verified).to.equal(true); done(); }); }); - }); - }); describe('samlp (unit tests)', function () { From 856a3b6cf261c3c49af069d24b6c8492186a9adb Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 23 Mar 2015 20:19:20 -0300 Subject: [PATCH 104/203] 1.3.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 65c6c2a..c3601f7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.2.0", + "version": "1.3.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 50099d09db7d67a49396d0e8c2465fccee6405b6 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 23 Mar 2015 22:00:55 -0300 Subject: [PATCH 105/203] minor improvements and bug fixing --- lib/passport-wsfed-saml2/samlp.js | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 39b0467..7ff2b3e 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -98,6 +98,10 @@ Samlp.prototype = { } var SAMLRequest = trimXml(!options.requestTemplate ? templates.samlrequest(model) : supplant(options.requestTemplate, model)); + var params = { + SAMLRequest: null, + RelayState: options.RelayState || '' + }; if (!options.deflate) { if (options.signingKey) { @@ -126,30 +130,28 @@ Samlp.prototype = { // deflate encoding (http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf - section 3.4.4.1) zlib.deflateRaw(new Buffer(SAMLRequest), function (err, buffer) { if (err) return callback(err); - var params = {}; - if (options.signingKey) { // construct the Signature: a string consisting of the concatenation of the SAMLRequest, // RelayState (if present) and SigAlg query string parameters (each one URLencoded) params.SAMLRequest = buffer.toString('base64'); - if (options.RelayState) { - params.RelayState = options.RelayState; + if (params.RelayState === '') { + // if there is no RelayState value, the parameter should be omitted from the signature computation + delete params.RelayState; } - + params.SigAlg = algorithms.signature[signatureAlgorithm]; params.Signature = sign(querystring.stringify(params), options.signingKey.key, signatureAlgorithm); } - callback(null, buildUrl(buffer, params)); + callback(null, buildUrl(buffer)); }); - function buildUrl(buffer, params) { + function buildUrl(buffer) { var parsed = url.parse(options.identityProviderUrl, true); - return options.identityProviderUrl.split('?')[0] + '?' + qs.encode(xtend(parsed.query, { - SAMLRequest: buffer.toString('base64'), - RelayState: options.RelayState || '' - }, params || {})); + return options.identityProviderUrl.split('?')[0] + '?' + qs.encode(xtend(parsed.query, params, { + SAMLRequest: buffer.toString('base64') + })); } }, From e3dae312a531c63c8cc9024b725afb6ffb251cf7 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 23 Mar 2015 22:01:03 -0300 Subject: [PATCH 106/203] 1.3.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index c3601f7..b3a54f2 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.3.0", + "version": "1.3.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 51f205cc109ad52916372da48190982f39b508d3 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 16 Apr 2015 16:31:51 -0300 Subject: [PATCH 107/203] avoid uncaughtException --- lib/passport-wsfed-saml2/saml.js | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index f0af123..edf371a 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -62,9 +62,16 @@ SAML.prototype.validateSignature = function (xml, options, callback) { return self.certToPEM(options.cert); } }; - sig.loadSignature(signature.toString()); - var valid = sig.checkSignature(xml.toString()); + var valid; + + try { + sig.loadSignature(signature.toString()); + valid = sig.checkSignature(xml.toString()); + } catch (e) { + return callback(e); + } + if (!valid) { return callback(new Error('Signature check errors: ' + sig.validationErrors)); } From 716100f4819551f27cdd579ae1348686782085cd Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 16 Apr 2015 16:32:18 -0300 Subject: [PATCH 108/203] 1.3.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b3a54f2..00eba66 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.3.1", + "version": "1.3.2", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 99dcee502871366068ab03f2383ada8e4de9e5b9 Mon Sep 17 00:00:00 2001 From: Eugenio Pace Date: Wed, 27 May 2015 17:45:05 -0700 Subject: [PATCH 109/203] Added support for SAML Responses with no embedded signatures --- lib/passport-wsfed-saml2/saml.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index edf371a..4199b50 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -46,6 +46,14 @@ SAML.prototype.validateSignature = function (xml, options, callback) { return ""; }, getKey: function (keyInfo) { + + //If there's no embedded signing cert, use the configured cert through options + if(keyInfo.length===0){ + if(!options.cert) throw new Error('options.cert must be specified for SAMLResponses with no embedded signing certificate'); + return self.certToPEM(options.cert); + } + + //If there's an embedded signature and thumprints are provided check that if (options.thumbprints && options.thumbprints.length > 0) { var embeddedSignature = keyInfo[0].getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate"); if (embeddedSignature.length > 0) { @@ -59,6 +67,9 @@ SAML.prototype.validateSignature = function (xml, options, callback) { } } + // If there's an embedded signature, but no thumprints are supplied, use options.cert + // either options.cert or options.thumbprints must be specified so at this point there + // must be an options.cert return self.certToPEM(options.cert); } }; From e191a007da472121bc9a3ea2b333e3c5a95f3450 Mon Sep 17 00:00:00 2001 From: Eugenio Pace Date: Wed, 27 May 2015 21:12:11 -0700 Subject: [PATCH 110/203] Added interop tests --- test/interop.tests.js | 60 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/test/interop.tests.js b/test/interop.tests.js index 68ad299..7429f54 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -206,6 +206,66 @@ describe('interop', function () { }); + it('should throw an exception when validating an assertion from RSA IDM with no embedded signature and supplying only thumbrints', function (done) { + var response = 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9uZXRmb3JteC5hdXRoMC5jb20vbG9naW4vY2FsbGJhY2s/Y29ubmVjdGlvbj1lbWMtdGVzdCIgSUQ9ImVkNmIxZDg4NDk0OTJjOTZiN2U1MmU0OGI1N2YxZGU0IiBJblJlc3BvbnNlVG89Il82ODhjNzJjYzBlMWE1ZGZjN2M3NiIgSXNzdWVJbnN0YW50PSIyMDE1LTA1LTI3VDExOjM1OjQxWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2VtYy5jb20vaWRwL05ldGZvcm14PC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPgo8ZHM6UmVmZXJlbmNlIFVSST0iI2VkNmIxZDg4NDk0OTJjOTZiN2U1MmU0OGI1N2YxZGU0Ij4KPGRzOlRyYW5zZm9ybXM+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRob2Q+CjxkczpEaWdlc3RWYWx1ZT5iYUtkS2hwQlZhT1lHSS8vVkNEU1N5b2JoY2s9PC9kczpEaWdlc3RWYWx1ZT4KPC9kczpSZWZlcmVuY2U+CjwvZHM6U2lnbmVkSW5mbz4KPGRzOlNpZ25hdHVyZVZhbHVlPgpGLzgrZUJpbWwrWWJqNmM1VERvaDNmYTY3Z01xRGlUV3hnamIrNmtjQTk2RDczcUdKSWhQWjhKZlZlM0paTHpQbUVUbm9oN0diWStyCjNFR3JqZk50bmJiRVdvYi9TUC9QQkxUOWhkeDdCR3FiT1dlTVlkTjYyWCs3OWFMZHd6QitNNkR2dXIreWlqS1NjVHhtdHNkeko4QXMKclRKN1pSTEZNMXcxR09qUzFQdEo3N2wxeENEWU9hb0VwSVZ1SlByRjZmNmVEUWJSTldVdUE5TVQ5d3BrYlhZbHYrTnFCWkswenZUTgpBK1Myc1AzUXhYenozVU9OeVlHdENPZEIrZzFybTgzNklNMHp4bUVMMys3QUdjNHBUVlJpRU5Sb2w2dDFFbGxxWVp5d1M3K2RoMGI0CnRXcGVhS2JTU2RKY1lGTnI2WUpsamZJUG9LZy9oelFKejdhSDBRPT0KPC9kczpTaWduYXR1cmVWYWx1ZT4KPC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIj48L3NhbWxwOlN0YXR1c0NvZGU+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIElEPSJlOTFhNzE1NTUzZWQ2NWFjY2RiMGNkYzVjYWVmMzk3YSIgSXNzdWVJbnN0YW50PSIyMDE1LTA1LTI3VDExOjM1OjQxWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2VtYy5jb20vaWRwL05ldGZvcm14PC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj43OTM1Mjwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzY4OGM3MmNjMGUxYTVkZmM3Yzc2IiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDUtMjdUMTE6MzY6NDFaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbmV0Zm9ybXguYXV0aDAuY29tL2xvZ2luL2NhbGxiYWNrP2Nvbm5lY3Rpb249ZW1jLXRlc3QiPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wNS0yN1QxMTozNToxMVoiIE5vdE9uT3JBZnRlcj0iMjAxNS0wNS0yN1QxMTozNjo0MVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+dXJuOmF1dGgwOm5ldGZvcm14OmVtYy10ZXN0PC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNS0wNS0yN1QxMTozNDoxNloiIFNlc3Npb25JbmRleD0iZTkxYTcxNTU1M2VkNjVhY2NkYjBjZGM1Y2FlZjM5N2EiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpLZXJiZXJvczwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJ1c2VyX2lkIiBOYW1lPSJ1c2VyX2lkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj43OTM1Mjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9ImVtYWlsIiBOYW1lPSJlbWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+cmlja3kuYnJvd25AZW1jLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==' + var samlOptions = { + thumbprints: ['bc58b95946e0c96b464b561b02d740aeae88875a'], + realm: 'urn:auth0:netformx:emc-test', + checkExpiration: false + }; + + var samlpOptions = { + protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' + }; + + var sm = new SamlPassport(samlOptions); + var sp = new samlp(samlpOptions, sm); + + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + function(err, profile){ + if (err) { + assert.ok(err); + return done(); + } + done('error expected'); + }); + }); + + it('should validate an assertion from RSA IDM with no embedded signature and supplying a cert', function (done) { + var response = 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9uZXRmb3JteC5hdXRoMC5jb20vbG9naW4vY2FsbGJhY2s/Y29ubmVjdGlvbj1lbWMtdGVzdCIgSUQ9ImVkNmIxZDg4NDk0OTJjOTZiN2U1MmU0OGI1N2YxZGU0IiBJblJlc3BvbnNlVG89Il82ODhjNzJjYzBlMWE1ZGZjN2M3NiIgSXNzdWVJbnN0YW50PSIyMDE1LTA1LTI3VDExOjM1OjQxWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2VtYy5jb20vaWRwL05ldGZvcm14PC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPgo8ZHM6UmVmZXJlbmNlIFVSST0iI2VkNmIxZDg4NDk0OTJjOTZiN2U1MmU0OGI1N2YxZGU0Ij4KPGRzOlRyYW5zZm9ybXM+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRob2Q+CjxkczpEaWdlc3RWYWx1ZT5iYUtkS2hwQlZhT1lHSS8vVkNEU1N5b2JoY2s9PC9kczpEaWdlc3RWYWx1ZT4KPC9kczpSZWZlcmVuY2U+CjwvZHM6U2lnbmVkSW5mbz4KPGRzOlNpZ25hdHVyZVZhbHVlPgpGLzgrZUJpbWwrWWJqNmM1VERvaDNmYTY3Z01xRGlUV3hnamIrNmtjQTk2RDczcUdKSWhQWjhKZlZlM0paTHpQbUVUbm9oN0diWStyCjNFR3JqZk50bmJiRVdvYi9TUC9QQkxUOWhkeDdCR3FiT1dlTVlkTjYyWCs3OWFMZHd6QitNNkR2dXIreWlqS1NjVHhtdHNkeko4QXMKclRKN1pSTEZNMXcxR09qUzFQdEo3N2wxeENEWU9hb0VwSVZ1SlByRjZmNmVEUWJSTldVdUE5TVQ5d3BrYlhZbHYrTnFCWkswenZUTgpBK1Myc1AzUXhYenozVU9OeVlHdENPZEIrZzFybTgzNklNMHp4bUVMMys3QUdjNHBUVlJpRU5Sb2w2dDFFbGxxWVp5d1M3K2RoMGI0CnRXcGVhS2JTU2RKY1lGTnI2WUpsamZJUG9LZy9oelFKejdhSDBRPT0KPC9kczpTaWduYXR1cmVWYWx1ZT4KPC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIj48L3NhbWxwOlN0YXR1c0NvZGU+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIElEPSJlOTFhNzE1NTUzZWQ2NWFjY2RiMGNkYzVjYWVmMzk3YSIgSXNzdWVJbnN0YW50PSIyMDE1LTA1LTI3VDExOjM1OjQxWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cDovL2VtYy5jb20vaWRwL05ldGZvcm14PC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj43OTM1Mjwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzY4OGM3MmNjMGUxYTVkZmM3Yzc2IiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDUtMjdUMTE6MzY6NDFaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbmV0Zm9ybXguYXV0aDAuY29tL2xvZ2luL2NhbGxiYWNrP2Nvbm5lY3Rpb249ZW1jLXRlc3QiPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wNS0yN1QxMTozNToxMVoiIE5vdE9uT3JBZnRlcj0iMjAxNS0wNS0yN1QxMTozNjo0MVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+dXJuOmF1dGgwOm5ldGZvcm14OmVtYy10ZXN0PC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNS0wNS0yN1QxMTozNDoxNloiIFNlc3Npb25JbmRleD0iZTkxYTcxNTU1M2VkNjVhY2NkYjBjZGM1Y2FlZjM5N2EiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpLZXJiZXJvczwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48c2FtbDpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJ1c2VyX2lkIiBOYW1lPSJ1c2VyX2lkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj43OTM1Mjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9ImVtYWlsIiBOYW1lPSJlbWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+cmlja3kuYnJvd25AZW1jLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg=='; + var encoded_cert = 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tIApNSUlGVERDQ0JEU2dBd0lCQWdJUkFOYjZhMktpVzIzS3d1TFZWYjlyamRjd0RRWUpLb1pJaHZjTkFRRUZCUUF3CmdaNHhDekFKQmdOVkJBWVRBbFZUTVJZd0ZBWURWUVFJRXcxTllYTnpZV05vZFhObGRIUnpNUkF3RGdZRFZRUUgKRXdkQ1pXUm1iM0prTVJrd0Z3WURWUVFLRXhCU1UwRWdVMlZqZFhKcGRIa2dURXhETVNVd0l3WURWUVFMRXh4SApiRzlpWVd3Z1UyVmpkWEpwZEhrZ1QzSm5ZVzVwZW1GMGFXOXVNU013SVFZRFZRUURFeHBTVTBFZ1EyOXljRzl5CllYUmxJRk5sY25abGNpQkRRU0IyTWpBZUZ3MHhOREF4TVRjeE9USXpNVE5hRncweE5qQXhNVGN4T1RJek1UTmEKTUlHYU1Rc3dDUVlEVlFRR0V3SlZVekVXTUJRR0ExVUVDQk1OVFdGemMyRmphSFZ6WlhSMGN6RVNNQkFHQTFVRQpCeE1KU0c5d2EybHVkRzl1TVJnd0ZnWURWUVFLRXc5RlRVTWdRMjl5Y0c5eVlYUnBiMjR4SnpBbEJnTlZCQXNUCkhrVnVkR1Z5Y0hKcGMyVWdWR1ZqYUc1dmJHOW5lU0JUWlhKMmFXTmxjekVjTUJvR0ExVUVBeE1UWm1sdGRITjAKTG1semRYTXVaVzFqTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9pSApodmpiSXg0TEhlSHZGOFRzMDRMa3hlRm1abFRRNHRVQjVvSm05ajE5aU92aDdXZ2U2cE0yWEQrejhRWlFXK2NUCm4vTGtBUDM1djRzVGt1Z3BPVExmOHc5ekJESXpTQ01BOWVqeisvS0p6enhFVUtaZVo0TU1jbldUeGpXS05zR0cKOXVtcjUxTVQ3THU4aFgwNUIyMFBrbVB5Zkt4ZExDQVJqZUhGWlBQZVF3NGd0VDVDbmJIUW0yRlE5SFJEWFhGdwo2V1lmVXRGTXRnNEl1LzJxbTF6eWpBejNjTjN1K1FXcXlZUG1rRzR2TFU5L2xzclpPYXN6TU84czBrQWo3Z2tPCkV2akdXaW1RRTB2N2F5M0xpYzcrbGZMRURLVVR6R2pvQkJnc1dEc1BZWHF0OTA1RGx1UDJMRzNLVmMvc0hLRmIKN2V5VUp1T0FaMHpDM2Q0Y2tYa0NBd0VBQWFPQ0FZVXdnZ0dCTUE0R0ExVWREd0VCL3dRRUF3SUR1REFSQmdsZwpoa2dCaHZoQ0FRRUVCQU1DQnNBd0hnWURWUjBSQkJjd0ZZSVRabWx0ZEhOMExtbHpkWE11WlcxakxtTnZiVEFmCkJnTlZIU01FR0RBV2dCUXA4OEpqMC9IMUM2Vy9zbDNmWVJDVU5NOUhERENCa1FZRFZSMGdCSUdKTUlHR01JR0QKQmdrcWhraUc5dzBGQndVd2RqQXVCZ2dyQmdFRkJRY0NBUllpYUhSMGNEb3ZMMk5oTG5KellYTmxZM1Z5YVhSNQpMbU52YlM5RFVGTXVhSFJ0YkRCRUJnZ3JCZ0VGQlFjQ0FqQTRNQmNXRUZKVFFTQlRaV04xY21sMGVTQk1URU13CkF3SUJBUm9kUTFCVElFbHVZMjl5Y0c5eVlYUmxaQ0JpZVNCeVpXWmxjbVZ1WTJVd0hRWURWUjBsQkJZd0ZBWUkKS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUIwR0ExVWREZ1FXQkJUdFdoSnE5S3VsMXpNbHIrOHVSbldheitRVQpZekJKQmdOVkhSOEVRakJBTUQ2Z1BLQTZoamhvZEhSd09pOHZZM0pzTG5KellYTmxZM1Z5YVhSNUxtTnZiVG80Ck1DOVNVMEZEYjNKd2IzSmhkR1ZUWlhKMlpYSkRRWFl5TG1OeWJEQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUEKTWFidGJCNXIwWU5lcTByRitsdmZKc3dMVTFZU2xxOHNaTkJVbzZDNWJIOFN3c01yeXJxUldZcUhoMWdkb21SUApGNWpYanFIWlE3UG9LcW9Ca1NRbU9kNERxdHp0NTlmUHp3MG5nRU9MdFN4M1Z2QldXU21LYTJwdDZ4a21PbGFxCi9nVTdzZElacTBjeGlSbERuaUZDQVp5dERtWWo2T1lndlIrQlN5WmdNM3VnaXltQlNlUjQ2M2owbkZ3bDIrM28KRXRFUnpTdW9paGRtYzhkV09TaU0zSWtja25wUzh4cnpRUjd5NVZkbnBoa2Q5K09rekt1UFM4WVNBYkw3WFl5OQpZWXYwR3lJdVBVa0VhL3FRNnlGR0k2NU5PR3ZDZWlGRjRvc2N0NmxVSFM5THZNZG1jeFl5cVg3UEhkUnh1ZHJFCkZDNWhCT2tZclNidVNKNUpGTEdPM0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=='; + var cert = pemToCert(new Buffer(encoded_cert, 'base64').toString()); + var samlOptions = { + cert: cert, + thumbprints: ['bc58b95946e0c96b464b561b02d740aeae88875a'], + realm: 'urn:auth0:netformx:emc-test', + checkExpiration: false + }; + + var samlpOptions = { + cert: cert, + }; + + var sm = new SamlPassport(samlOptions); + var sp = new samlp(samlpOptions, sm); + + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + function(err, profile){ + if (err) return done(err); + assert.ok(profile); + expect(profile['email']).to.equal('ricky.brown@emc.com'); + done(); + }); + + function pemToCert(pem) { + var cert = /-----BEGIN CERTIFICATE-----([^-]*)-----END CERTIFICATE-----/g.exec(pem.toString()); + if (cert.length > 0) { + return cert[1].replace(/[\n|\r\n]/g, ''); + } + return null; + }; + }); + // it('should validate a saml response from datapower', function (done) { // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; From 31137516eec421632c1aa645a77a02585f74e7ce Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Thu, 28 May 2015 02:05:39 -0300 Subject: [PATCH 111/203] 1.3.3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 00eba66..e9b160c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.3.2", + "version": "1.3.3", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From a8b4c00017751a14e8d050af44a83d5b5ef84179 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Thu, 11 Jun 2015 08:28:42 -0300 Subject: [PATCH 112/203] minor --- lib/passport-wsfed-saml2/saml.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 4199b50..87a215e 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -48,7 +48,7 @@ SAML.prototype.validateSignature = function (xml, options, callback) { getKey: function (keyInfo) { //If there's no embedded signing cert, use the configured cert through options - if(keyInfo.length===0){ + if(!keyInfo || keyInfo.length===0){ if(!options.cert) throw new Error('options.cert must be specified for SAMLResponses with no embedded signing certificate'); return self.certToPEM(options.cert); } @@ -68,7 +68,7 @@ SAML.prototype.validateSignature = function (xml, options, callback) { } // If there's an embedded signature, but no thumprints are supplied, use options.cert - // either options.cert or options.thumbprints must be specified so at this point there + // either options.cert or options.thumbprints must be specified so at this point there // must be an options.cert return self.certToPEM(options.cert); } @@ -82,7 +82,7 @@ SAML.prototype.validateSignature = function (xml, options, callback) { } catch (e) { return callback(e); } - + if (!valid) { return callback(new Error('Signature check errors: ' + sig.validationErrors)); } From e1ec219900253270af2e8586f2f3c43f1bbb82a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Thu, 11 Jun 2015 08:28:46 -0300 Subject: [PATCH 113/203] 1.3.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e9b160c..39645c1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.3.3", + "version": "1.3.4", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 4bb74594deefda03cbf67668b8e766635b351dce Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 15 Jun 2015 11:36:16 -0500 Subject: [PATCH 114/203] saml11: fix nameIdentifier resolver --- lib/passport-wsfed-saml2/saml.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 87a215e..f7e6e23 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -168,8 +168,14 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { } function getNameID11(samlAssertion) { - var nameId = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); - if (nameId.length === 0) return; + var nameId = xpath.select("//*[local-name(.)='AuthenticationStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); + + if (nameId.length === 0) { + // only for backward compatibility with adfs + nameId = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); + if (nameId.length === 0) return; + } + return nameId[0].textContent; } From 4305d92dad34983dba84244a3755995b20c35393 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 15 Jun 2015 11:36:25 -0500 Subject: [PATCH 115/203] 1.3.5 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 39645c1..e6efe48 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.3.4", + "version": "1.3.5", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 9f6038b69d41aa93035d6f9e53f5015d0d18abb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Thu, 16 Jul 2015 09:26:04 -0300 Subject: [PATCH 116/203] update jsonwebtoken --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e6efe48..6484e06 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "dependencies": { "cryptiles": "~0.2.2", "ejs": "~0.8.3", - "jsonwebtoken": "~3.2.0", + "jsonwebtoken": "~5.0.4", "passport": "0.1.x", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", "xml-encryption": "~0.7.2", From 268c138631c250f8f633b78c900431959406bbef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=CC=81=20F=2E=20Romaniello?= Date: Thu, 16 Jul 2015 09:26:12 -0300 Subject: [PATCH 117/203] 2.0.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 6484e06..c5f1959 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "1.3.5", + "version": "2.0.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 9d1a60483f23a548e9cddead176f1c32f6e1625d Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 23 Jul 2015 16:19:49 -0300 Subject: [PATCH 118/203] accept RelayState from options.identityProviderUrl --- lib/passport-wsfed-saml2/samlp.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 7ff2b3e..0103c43 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -98,9 +98,10 @@ Samlp.prototype = { } var SAMLRequest = trimXml(!options.requestTemplate ? templates.samlrequest(model) : supplant(options.requestTemplate, model)); + var parsedUrl = url.parse(options.identityProviderUrl, true); var params = { SAMLRequest: null, - RelayState: options.RelayState || '' + RelayState: options.RelayState || (parsedUrl.query && parsedUrl.query.RelayState) || '' }; if (!options.deflate) { @@ -148,8 +149,7 @@ Samlp.prototype = { }); function buildUrl(buffer) { - var parsed = url.parse(options.identityProviderUrl, true); - return options.identityProviderUrl.split('?')[0] + '?' + qs.encode(xtend(parsed.query, params, { + return options.identityProviderUrl.split('?')[0] + '?' + qs.encode(xtend(parsedUrl.query, params, { SAMLRequest: buffer.toString('base64') })); } From c6891e06c972245531949f7592659091ae826150 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 23 Jul 2015 16:19:59 -0300 Subject: [PATCH 119/203] 2.0.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index c5f1959..e2cba77 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.0.0", + "version": "2.0.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From a78c6a022378cb3c1fa32b7a6eb9be31697d721e Mon Sep 17 00:00:00 2001 From: Eugenio Pace Date: Sat, 29 Aug 2015 10:00:43 -0700 Subject: [PATCH 120/203] Added support for ws-trust 1.3 namespace --- lib/passport-wsfed-saml2/wsfederation.js | 7 ++++++ package.json | 2 +- test/interop.tests.js | 31 ++++++++++++++++++++++++ test/wsfed-result.xml | 16 ++++++++++++ 4 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 test/wsfed-result.xml diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index 1521e3e..54f28ad 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -29,7 +29,14 @@ WsFederation.prototype = { extractToken: function(req) { var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']); + + // //Probe WS-Trust 1.2 namespace (http://schemas.xmlsoap.org/ws/2005/02/trust) var token = doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0]; + + // //Probe WS-Trust 1.3 namespace (http://docs.oasis-open.org/ws-sx/ws-trust/200512) + if(!token){ + token = doc.getElementsByTagNameNS('http://docs.oasis-open.org/ws-sx/ws-trust/200512', 'RequestedSecurityToken')[0]; + } return token && token.firstChild; } diff --git a/package.json b/package.json index e2cba77..b1339a9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.0.1", + "version": "2.0.2", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" diff --git a/test/interop.tests.js b/test/interop.tests.js index 7429f54..e1643c2 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -6,6 +6,7 @@ var assert = require('assert'), saml11 = require('saml').Saml11, SamlPassport = require('../lib/passport-wsfed-saml2/saml').SAML, samlp = require('../lib/passport-wsfed-saml2/samlp'); + wsfed = require('../lib/passport-wsfed-saml2').Strategy; var request = require('request'); var server = require('./fixture/samlp-server'); @@ -266,7 +267,37 @@ describe('interop', function () { }; }); + it('should validate an assertion from a WS-Fed STS using WS-Trust 1.3 namespaces', function (done) { + + var options = { + thumbprint: '1756139e2a046d3c494daae6bbfa542a4367bc60', + checkExpiration: false, + realm: 'http://dev.pms.baxon.net/' + }; + + var s = new wsfed(options, function(u,done){ + expect(u['email']).to.equal('fhermida@baxonpe.com'); + done(); + }); + + s.fail = function(e,code){ + done(e); + }; + s.error = function(e){ + done(e); + }; + + var response = fs.readFileSync(__dirname + '/wsfed-result.xml').toString(); + + var req = { + body : { + wresult: response + } + }; + + s._authenticate_saml(req); + }); // it('should validate a saml response from datapower', function (done) { // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; // //var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage'; diff --git a/test/wsfed-result.xml b/test/wsfed-result.xml new file mode 100644 index 0000000..4f383a5 --- /dev/null +++ b/test/wsfed-result.xml @@ -0,0 +1,16 @@ +2015-07-23T15:40:26.113Z2015-07-23T16:40:26.113Z
http://dev.pms.baxon.net/
http://dev.pms.baxon.net/1266urn:oasis:names:tc:SAML:1.0:cm:beareradminfhermida@baxonpe.com6SWgcwiTgl1oclmMGiV0p/QQ2hi9irdIbQuPhsvcsHY=0Wg17usFmMpPNDlPcyXvP9f6i2kQ3RDRvkebBkrEZkYYfmyj8VUhGrkrYRiyGPZNp8jEkbbt/tujc4lOkYB03rpj3FvUx+v8Y/RZbPyfCjXR9FLdWfXwhkz2HW1+n7vqwNxpuLRZDXmOiT1RgSYoLG9A7EgBqMtRZBXS75+rWZfCGqYk9KN+NoSUJnRepdA3BquQXq2zvPO/NwUtPNhfDiE763Wx7AgS1Ni3WO+Yqc0lFA04LJ4uU1KPVKHaY48nSWRLGMJJIF65qEHLdJXl164W72vAXGkZutFh46diNu7g2U+0SHoz04BewTcLR1HfcMo955O4Y1PZz32bw+TTuQ==MIIC8DCCAdigAwIBAgIQUwBSjcy73ZVOX5nV9aGv0zANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExFkZXYucG1zLmJheG9uLm5ldDAeFw0xMjA5MTgxODEzMjhaFw0xMzA5MTkwMDEzMjhaMBwxGjAYBgNVBAMTEWRldi5wbXMuYmF4b24ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ldGxCKIA5sIbwsl9WNpF59jVFG7UZvKjPixxNoxnUHKHll5u14XA1eJvZUgPdOSjRTMTnWN9YpMLumC2PWzNg7PKDNMP6uVnFkmdXI+q31b5WjYkuKOyaGdjFEGRMcr+vqSrcnkUWujXL1t3P+RoabN5svduYaQF20GU5I52EOhzzK+ogE6zHHFaHibjiFQ4ww/Ip9cytCzCsfl258RkauJ3xCVCTVji9MpwmX/1Rj8sma54FN+u2MB9i8GcGrN+ZFxoM98WX6GA1/5B3ZCx1BgHz0D3dXhCi4xU7N7yvkYC4TwHkOjLxmkjz2UP/jm28/R0NNO/HdbFPNFtZ66/wIDAQABoy4wLDALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFPbqbWG48yDRzE3kutclDzPN3pDnMA0GCSqGSIb3DQEBBQUAA4IBAQB6QIauvKs8bzhI5YZHOdqAhINVbA1m4ulJzlLXbPDbwfD5U4ginePbLxPvvP3jfTujaztD7YK9bxdFTFWdvCSX+RV1zK8wvNZSRV4d3F7ZSXZzmipoInUsTh9U+grqdpdcMddKge/6RDubLD92k6aSKLrOyrFj0oJfkqFgXJnPpVqIlfqjjXRtQ90RUJQJh4qssOHC2a/cwgeBsFj2ei8Rq4tFIo5QO8zDtvKz7E3ZBFiclWjhcZ3t8u2M7JSRk/bk0tTiQyFFzzDx7nZvi8qP00l3ynNOmsz2SeHkSAPrDQ4JRee50ULOuPCC5ySZS326gsq/UXz8zQybp6fFGW1B + + + _b996a6d2-0556-4292-ab63-bcbb183a1eca + + + + + _b996a6d2-0556-4292-ab63-bcbb183a1eca + + +urn:oasis:names:tc:SAML:1.0:assertion +http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue +http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer + + From 2d1041c0c79a323f2408337577fe9baccd7aa425 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Sun, 30 Aug 2015 16:19:58 -0300 Subject: [PATCH 121/203] rename wsfed-result test file --- test/interop.tests.js | 10 +++++----- test/{wsfed-result.xml => wsfed-result-wstrust13.xml} | 0 2 files changed, 5 insertions(+), 5 deletions(-) rename test/{wsfed-result.xml => wsfed-result-wstrust13.xml} (100%) diff --git a/test/interop.tests.js b/test/interop.tests.js index e1643c2..47dff72 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -222,7 +222,7 @@ describe('interop', function () { var sm = new SamlPassport(samlOptions); var sp = new samlp(samlpOptions, sm); - sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), function(err, profile){ if (err) { assert.ok(err); @@ -250,7 +250,7 @@ describe('interop', function () { var sm = new SamlPassport(samlOptions); var sp = new samlp(samlpOptions, sm); - sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), function(err, profile){ if (err) return done(err); assert.ok(profile); @@ -264,7 +264,7 @@ describe('interop', function () { return cert[1].replace(/[\n|\r\n]/g, ''); } return null; - }; + } }); it('should validate an assertion from a WS-Fed STS using WS-Trust 1.3 namespaces', function (done) { @@ -285,10 +285,10 @@ describe('interop', function () { }; s.error = function(e){ - done(e); + done(e); }; - var response = fs.readFileSync(__dirname + '/wsfed-result.xml').toString(); + var response = fs.readFileSync(__dirname + '/wsfed-result-wstrust13.xml').toString(); var req = { body : { diff --git a/test/wsfed-result.xml b/test/wsfed-result-wstrust13.xml similarity index 100% rename from test/wsfed-result.xml rename to test/wsfed-result-wstrust13.xml From 94075b91f92b666848612e98e0214c42991603be Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 31 Aug 2015 14:13:30 -0300 Subject: [PATCH 122/203] add AuthnContext macro for options.requestTemplate --- lib/passport-wsfed-saml2/samlp.js | 3 ++- lib/passport-wsfed-saml2/strategy.js | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 0103c43..38c888a 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -90,7 +90,8 @@ Samlp.prototype = { Issuer: options.realm, ProtocolBinding: options.protocolBinding, ForceAuthn: options.forceAuthn, - AssertServiceURLAndDestination: assert_and_destination + AssertServiceURLAndDestination: assert_and_destination, + AuthnContext: options.authnContext }; if (options.requestContext) { diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index a80aa31..40dee6a 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -95,6 +95,7 @@ Strategy.prototype._authenticate_jwt = function (req) { Strategy.prototype.authenticate = function (req, opts) { var self = this; var protocol = opts.protocol || this.options.protocol; + var authzParams = this.authorizationParams(opts); function executeWsfed(req) { if (req.body && req.method == 'POST' && req.body.wresult) { @@ -106,8 +107,7 @@ Strategy.prototype.authenticate = function (req, opts) { } } else { // Initiate new ws-fed authentication request - var params = self.authorizationParams(opts); - var idpUrl = self._wsfed.getRequestSecurityTokenUrl(params); + var idpUrl = self._wsfed.getRequestSecurityTokenUrl(authzParams); self.redirect(idpUrl); } } @@ -136,7 +136,7 @@ Strategy.prototype.authenticate = function (req, opts) { }); } else { // Initiate new samlp authentication request - self._samlp.getSamlRequestUrl(opts, function(err, url) { + self._samlp.getSamlRequestUrl(authzParams, function(err, url) { if (err) return self.error(err); self.redirect(url); From 1fadad0503ff9114cb5d91d6146936020fa6ca5a Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 31 Aug 2015 14:13:46 -0300 Subject: [PATCH 123/203] 2.1.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b1339a9..11a7f51 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.0.2", + "version": "2.1.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From a86001590d4e5dc69f181c35e41930c108997e97 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 1 Sep 2015 11:06:42 -0300 Subject: [PATCH 124/203] use empty string as default value for @@AuthnContext@@ --- lib/passport-wsfed-saml2/samlp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 38c888a..2dc98f7 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -91,7 +91,7 @@ Samlp.prototype = { ProtocolBinding: options.protocolBinding, ForceAuthn: options.forceAuthn, AssertServiceURLAndDestination: assert_and_destination, - AuthnContext: options.authnContext + AuthnContext: options.authnContext || '' }; if (options.requestContext) { From 540caf2f8919954d74f11a782420fd0c70d6f6a5 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 1 Sep 2015 11:06:46 -0300 Subject: [PATCH 125/203] 2.1.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 11a7f51..00b1504 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.1.0", + "version": "2.1.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From c291f1969d46b886761c292b65710264d98b4082 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 8 Oct 2015 17:50:01 -0300 Subject: [PATCH 126/203] samlp: check for AuthnFailed status --- .jshintrc | 39 +++++++++++++++ .../errors/AuthenticationFailedError.js | 12 +++++ lib/passport-wsfed-saml2/samlp.js | 47 +++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 .jshintrc create mode 100644 lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js diff --git a/.jshintrc b/.jshintrc new file mode 100644 index 0000000..9de7a50 --- /dev/null +++ b/.jshintrc @@ -0,0 +1,39 @@ +{ + "camelcase": false, + "curly": false, + + "node": true, + "esnext": true, + "bitwise": true, + "eqeqeq": true, + "immed": true, + "indent": 2, + "latedef": false, + "newcap": true, + "noarg": true, + "regexp": true, + "undef": true, + "strict": false, + "smarttabs": true, + "expr": true, + + "evil": true, + "browser": true, + "regexdash": true, + "wsh": true, + "trailing": true, + "sub": true, + "unused": true, + "laxcomma": true, + "nonbsp": true, + + "globals": { + "after": false, + "before": false, + "afterEach": false, + "beforeEach": false, + "describe": false, + "it": false, + "escape": false + } +} diff --git a/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js b/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js new file mode 100644 index 0000000..3dd2101 --- /dev/null +++ b/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js @@ -0,0 +1,12 @@ +function AuthenticationFailedError (message, detail) { + var err = Error.call(this, message); + err.name = 'AuthenticationFailedError'; + err.message = message || 'Authentication Failed'; + err.detail = detail; + return err; +} + +AuthenticationFailedError.prototype = Object.create(Error.prototype); +AuthenticationFailedError.prototype.constructor = AuthenticationFailedError; + +module.exports = AuthenticationFailedError; \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 2dc98f7..23650f3 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -9,6 +9,7 @@ var crypto = require('crypto'); var querystring = require('querystring'); var SignedXml = require('xml-crypto').SignedXml; var templates = require('./templates'); +var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; @@ -204,6 +205,42 @@ Samlp.prototype = { done(null, token); }, + getSamlStatus: function (samlResponse) { + var status = {}; + + if (typeof samlResponse === 'string') { + samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); + } + + // status code + var statusCodeXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusCode']", samlResponse)[0]; + if (statusCodeXml) { + status.code = statusCodeXml.getAttribute('Value'); + + if (status.code === 'urn:oasis:names:tc:SAML:2.0:status:Responder') { + // status sub code + var statusSubCodeXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusCode']/*[local-name(.)='StatusCode']", samlResponse)[0]; + if (statusSubCodeXml) { + status.subCode = statusSubCodeXml.getAttribute('Value'); + } + } + } + + // status message + var samlStatusMsgXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusMessage']", samlResponse)[0]; + if (samlStatusMsgXml) { + status.message = samlStatusMsgXml.textContent; + } + + // status detail + var samlStatusDetailXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusDetail']", samlResponse)[0]; + if (samlStatusDetailXml) { + status.detail = samlStatusDetailXml.textContent; + } + + return status; + }, + validateSamlResponse: function (samlResponse, callback) { var self = this; @@ -211,6 +248,16 @@ Samlp.prototype = { samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); } + // check status + var samlStatus = self.getSamlStatus(samlResponse); + var isAuthnFailed = samlStatus.code === 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed' || + samlStatus.subCode === 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed'; + + if (isAuthnFailed) { + return callback (new AuthenticationFailedError(samlStatus.message, samlStatus.detail)); + } + + // extract assertion self.extractAssertion(samlResponse, function (err, assertion) { if (err) { return callback(err); } if (!assertion) { From ba7bec37d957834ee8db978247485c4c96b73446 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 8 Oct 2015 17:51:22 -0300 Subject: [PATCH 127/203] 2.2.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 00b1504..eb44b37 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.1.1", + "version": "2.2.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 6640ca8db616a4e374473de88f297250b4ade7bd Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 8 Oct 2015 18:57:07 -0300 Subject: [PATCH 128/203] return 401 if AuthenticationFailedError --- lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js | 3 ++- lib/passport-wsfed-saml2/strategy.js | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js b/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js index 3dd2101..1cb8737 100644 --- a/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js +++ b/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js @@ -1,8 +1,9 @@ -function AuthenticationFailedError (message, detail) { +function AuthenticationFailedError (message, detail, status) { var err = Error.call(this, message); err.name = 'AuthenticationFailedError'; err.message = message || 'Authentication Failed'; err.detail = detail; + err.status = status || 401; return err; } diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 40dee6a..ea8421f 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -122,7 +122,7 @@ Strategy.prototype.authenticate = function (req, opts) { // We have a response, get the user identity out of it var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { - if (err) return self.fail(err, 400); + if (err) return self.fail(err, err.status || 400); var verified = function (err, user, info) { if (err) return self.error(err); From 9e4eeaf21fb5e4f198df42c7f960c20bc6bff0b7 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 8 Oct 2015 18:57:14 -0300 Subject: [PATCH 129/203] 2.2.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index eb44b37..bc37050 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.2.0", + "version": "2.2.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From ff3d599b08442f2101eb4217140e1b1f10231c50 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 11 Nov 2015 19:25:23 -0300 Subject: [PATCH 130/203] improve HTTP-POST binding support post samlrequest/relaystate instead of redirect --- lib/passport-wsfed-saml2/samlp.js | 74 ++++++++---- lib/passport-wsfed-saml2/strategy.js | 65 ++++++----- lib/passport-wsfed-saml2/templates/form.ejs | 21 ++++ package.json | 7 +- test/fixture/samlp-server.js | 12 ++ test/samlp.tests.js | 121 ++++++++++++++------ 6 files changed, 207 insertions(+), 93 deletions(-) create mode 100644 lib/passport-wsfed-saml2/templates/form.ejs diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 23650f3..57910f7 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -1,19 +1,24 @@ -var xmldom = require('xmldom'); -var xpath = require('xpath'); -var qs = require('querystring'); -var zlib = require('zlib'); -var xtend = require('xtend'); -var url = require('url'); -var xmlenc = require('xml-encryption'); -var crypto = require('crypto'); +var xmldom = require('xmldom'); +var xpath = require('xpath'); +var qs = require('querystring'); +var zlib = require('zlib'); +var xtend = require('xtend'); +var url = require('url'); +var xmlenc = require('xml-encryption'); +var crypto = require('crypto'); var querystring = require('querystring'); -var SignedXml = require('xml-crypto').SignedXml; -var templates = require('./templates'); +var SignedXml = require('xml-crypto').SignedXml; +var templates = require('./templates'); + var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); +var BINDINGS = { + HTTP_POST: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + HTTP_REDIRECT: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' +}; + var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; - this.options.protocolBinding = options.protocolBinding || 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'; if (this.options.thumbprint) { this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]); @@ -74,7 +79,7 @@ var algorithms = { }; Samlp.prototype = { - getSamlRequestUrl: function (opts, callback) { + getSamlRequestParams: function (opts, callback) { var options = xtend(opts || {}, this.options); var signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256'; @@ -89,7 +94,7 @@ Samlp.prototype = { ID: '_' + generateUniqueID(), IssueInstant: generateInstant(), Issuer: options.realm, - ProtocolBinding: options.protocolBinding, + ProtocolBinding: options.protocolBinding || BINDINGS.HTTP_POST, ForceAuthn: options.forceAuthn, AssertServiceURLAndDestination: assert_and_destination, AuthnContext: options.authnContext || '' @@ -106,7 +111,8 @@ Samlp.prototype = { RelayState: options.RelayState || (parsedUrl.query && parsedUrl.query.RelayState) || '' }; - if (!options.deflate) { + if (options.protocolBinding === BINDINGS.HTTP_POST || !options.deflate) { + // HTTP-POST or HTTP-Redirect without deflate encoding if (options.signingKey) { // xml with embedded Signature var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[signatureAlgorithm] }); @@ -127,17 +133,19 @@ Samlp.prototype = { SAMLRequest = trimXml(sig.getSignedXml()); } - return callback(null, buildUrl(new Buffer(SAMLRequest))); + params.SAMLRequest = new Buffer(SAMLRequest).toString('base64'); + return callback(null, params); } - // deflate encoding (http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf - section 3.4.4.1) + // HTTP-Redirect with deflate encoding (http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf - section 3.4.4.1) zlib.deflateRaw(new Buffer(SAMLRequest), function (err, buffer) { if (err) return callback(err); + + params.SAMLRequest = buffer.toString('base64'); + if (options.signingKey) { // construct the Signature: a string consisting of the concatenation of the SAMLRequest, // RelayState (if present) and SigAlg query string parameters (each one URLencoded) - params.SAMLRequest = buffer.toString('base64'); - if (params.RelayState === '') { // if there is no RelayState value, the parameter should be omitted from the signature computation delete params.RelayState; @@ -147,14 +155,34 @@ Samlp.prototype = { params.Signature = sign(querystring.stringify(params), options.signingKey.key, signatureAlgorithm); } - callback(null, buildUrl(buffer)); + callback(null, params); }); + }, + + getSamlRequestUrl: function (opts, callback) { + var options = xtend(opts || {}, this.options); + var parsedUrl = url.parse(options.identityProviderUrl, true); - function buildUrl(buffer) { - return options.identityProviderUrl.split('?')[0] + '?' + qs.encode(xtend(parsedUrl.query, params, { - SAMLRequest: buffer.toString('base64') + this.getSamlRequestParams(options, function (err, params) { + if (err) return callback(err); + + var samlRequestUrl = options.identityProviderUrl.split('?')[0] + '?' + qs.encode(xtend(parsedUrl.query, params)); + return callback(null, samlRequestUrl); + }); + }, + + getSamlRequestForm: function (opts, callback) { + var options = xtend(opts || {}, this.options); + + this.getSamlRequestParams(options, function (err, params) { + if (err) return callback(err); + + return callback(null, templates.form({ + postUrl: options.identityProviderUrl, + RelayState: params.RelayState, + SAMLRequest: params.SAMLRequest })); - } + }); }, decodeResponse: function(req) { diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index ea8421f..98dbfd1 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -1,13 +1,13 @@ -var passport = require('passport'); -var util = require('util'); -var saml = require('./saml'); -var wsfed = require('./wsfederation'); -var samlp = require('./samlp'); -var xmldom = require('xmldom'); -var jwt = require('jsonwebtoken'); +var passport = require('passport'); +var util = require('util'); +var xmldom = require('xmldom'); +var jwt = require('jsonwebtoken'); +var saml = require('./saml'); +var wsfed = require('./wsfederation'); +var samlp = require('./samlp'); function Strategy (options, verify) { - if (typeof options == 'function') { + if (typeof options === 'function') { verify = options; options = {}; } @@ -24,12 +24,14 @@ function Strategy (options, verify) { passport.Strategy.call(this); this._verify = verify; + if (!this.options.jwt) { this._saml = new saml.SAML(this.options); this._samlp = new samlp(this.options, this._saml); } else { this._jwt = this.options.jwt; } + this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); } @@ -71,6 +73,7 @@ Strategy.prototype._authenticate_saml = function (req) { Strategy.prototype._authenticate_jwt = function (req) { var self = this; var token = req.body.wresult; + jwt.verify(token, this.options.cert, this._jwt, function (err, profile) { if (err) { return self.error(err); @@ -98,7 +101,7 @@ Strategy.prototype.authenticate = function (req, opts) { var authzParams = this.authorizationParams(opts); function executeWsfed(req) { - if (req.body && req.method == 'POST' && req.body.wresult) { + if (req.body && req.method === 'POST' && req.body.wresult) { // We have a response, get the user identity out of it if (self._jwt) { self._authenticate_jwt(req); @@ -113,7 +116,7 @@ Strategy.prototype.authenticate = function (req, opts) { } function executeSamlp(req) { - if (req.body && req.method == 'POST' && req.body.SAMLResponse) { + if (req.body && req.method === 'POST' && req.body.SAMLResponse) { var samlResponse = self._samlp.decodeResponse(req); if (samlResponse.indexOf('<') === -1) { return self.fail('SAMLResponse should be a valid xml', 400); @@ -126,9 +129,7 @@ Strategy.prototype.authenticate = function (req, opts) { var verified = function (err, user, info) { if (err) return self.error(err); - if (!user) return self.fail(info); - self.success(user, info); }; @@ -136,31 +137,37 @@ Strategy.prototype.authenticate = function (req, opts) { }); } else { // Initiate new samlp authentication request - self._samlp.getSamlRequestUrl(authzParams, function(err, url) { - if (err) return self.error(err); - - self.redirect(url); - }); + if (self.options.protocolBinding === 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST') { + self._samlp.getSamlRequestForm(authzParams, function (err, form) { + if (err) return self.error(err); + var res = req.res; + res.set('Content-Type', 'text/html'); + res.send(form); + }); + } + else { + self._samlp.getSamlRequestUrl(authzParams, function (err, url) { + if (err) return self.error(err); + self.redirect(url); + }); + } } } switch (protocol) { - case 'wsfed': - executeWsfed(req, this.options); - break; - case 'samlp': - executeSamlp(req, this.options); - break; - default: - throw new Error('not supported protocol: ' + protocol); + case 'wsfed': + executeWsfed(req, this.options); + break; + case 'samlp': + executeSamlp(req, this.options); + break; + default: + throw new Error('not supported protocol: ' + protocol); } - - }; Strategy.prototype.authorizationParams = function(options) { return options; }; - -module.exports = Strategy; \ No newline at end of file +module.exports = Strategy; diff --git a/lib/passport-wsfed-saml2/templates/form.ejs b/lib/passport-wsfed-saml2/templates/form.ejs new file mode 100644 index 0000000..7f3d429 --- /dev/null +++ b/lib/passport-wsfed-saml2/templates/form.ejs @@ -0,0 +1,21 @@ + + + Working... + + +
+ + + +
+ + + \ No newline at end of file diff --git a/package.json b/package.json index bc37050..44cba6a 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", "xml-encryption": "~0.7.2", "xml2js": "0.1.x", - "xmldom": "~0.1.19", + "xmldom": "https://github.com/auth0/xmldom/tarball/master", "xpath": "0.0.5", "xtend": "~2.0.3" }, @@ -35,10 +35,7 @@ "express": "~3.1.0", "mocha": "~1.8.1", "request": "~2.14.0", - "xmldom": "https://github.com/auth0/xmldom/tarball/master", - "cheerio": "~0.10.7", - "xpath": "0.0.5", - "xtend": "~2.0.3", + "cheerio": "~0.19.0", "moment": "~1.7.2", "saml": "~0.4.4", "wsfed": "~0.3.5", diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 9df04e7..66d29b8 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -21,6 +21,17 @@ passport.use('samlp', new Strategy({ }) ); +passport.use('samlp-http-post', new Strategy({ + protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: identityProviderUrl, + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'] + }, function(profile, done) { + return done(null, profile); + }) +); + passport.use('samlp-custom-request-template', new Strategy({ path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', @@ -221,6 +232,7 @@ module.exports.start = function(options, callback){ }); app.get('/login', passport.authenticate('samlp', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-http-post', passport.authenticate('samlp-http-post', { protocol: 'samlp', RelayState: relayState })); app.get('/login-idp-with-querystring', passport.authenticate('samlp-idpurl-with-querystring', { protocol: 'samlp', RelayState: relayState })); app.get('/login-signed-request-without-deflate', passport.authenticate('samlp-signedrequest-without-deflate', { protocol: 'samlp', RelayState: relayState })); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 2785ccd..abdd1e0 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -198,38 +198,91 @@ describe('samlp (functional tests)', function () { }); describe('samlp request', function () { - var r, bod; + describe('HTTP-Redirect', function () { + var r, bod; - before(function (done) { - request.get({ - jar: request.jar(), - followRedirect: false, - uri: 'http://localhost:5051/login' - }, function (err, resp, b){ - if(err) return callback(err); - r = resp; - bod = b; - done(); + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login' + }, function (err, resp, b){ + if(err) return done(err); + r = resp; + bod = b; + done(); + }); }); - }); - it('should redirect to idp', function(){ - expect(r.statusCode) - .to.equal(302); + it('should redirect to idp', function(){ + expect(r.statusCode) + .to.equal(302); + }); + + it('should have SAMLRequest querystring', function(done){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + var SAMLRequest = querystring.SAMLRequest; + + zlib.inflateRaw(new Buffer(SAMLRequest, 'base64'), function (err, buffer) { + if (err) return done(err); + var request = buffer.toString(); + var doc = new xmldom.DOMParser().parseFromString(request); + + expect(doc.documentElement.getAttribute('ProtocolBinding')) + .to.equal('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'); + + expect(doc.documentElement.getAttribute('Version')) + .to.equal('2.0'); + + expect(doc.documentElement.getElementsByTagName('saml:Issuer')[0] + .getAttribute('xmlns:saml')) + .to.equal('urn:oasis:names:tc:SAML:2.0:assertion'); + + done(); + }); + }); + + it('should have RelayState querystring', function(){ + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('RelayState'); + expect(querystring.RelayState).to.equal(server.relayState); + }); }); - it('should have SAMLRequest querystring', function(done){ - expect(r.headers.location.split('?')[0]) - .to.equal(server.identityProviderUrl); - var querystring = qs.parse(r.headers.location.split('?')[1]); - expect(querystring).to.have.property('SAMLRequest'); - var SAMLRequest = querystring.SAMLRequest; + describe('HTTP-POST', function () { + var r, bod, $; - zlib.inflateRaw(new Buffer(SAMLRequest, 'base64'), function (err, buffer) { - if (err) return done(err); - var request = buffer.toString(); - var doc = new xmldom.DOMParser().parseFromString(request); + before(function (done) { + request.get({ + jar: request.jar(), + followRedirect: false, + uri: 'http://localhost:5051/login-http-post' + }, function (err, resp, b){ + if (err) return done(err); + r = resp; + bod = b; + $ = cheerio.load(bod); + done(); + }); + }); + + it('should post to idp', function(){ + expect(r.statusCode).to.equal(200); + expect(r.headers['content-type']).to.equal('text/html'); + expect(r.headers['content-type']).to.equal('text/html'); + expect($('form').attr('action')).to.equal('http://localhost:5051/samlp'); + }); + it('should have SAMLRequest input', function (done) { + var SAMLRequest = $('form input[name="SAMLRequest"]').val(); + expect(SAMLRequest).to.be.ok; + + var doc = new xmldom.DOMParser().parseFromString(new Buffer(SAMLRequest, 'base64').toString()); expect(doc.documentElement.getAttribute('ProtocolBinding')) .to.equal('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'); @@ -243,16 +296,12 @@ describe('samlp (functional tests)', function () { done(); }); + it('should have RelayState input', function(){ + var RelayState = $('form input[name="RelayState"]').val(); + expect(RelayState).to.be.ok; + expect(RelayState).to.equal(server.relayState); + }); }); - - it('should have RelayState querystring', function(){ - expect(r.headers.location.split('?')[0]) - .to.equal(server.identityProviderUrl); - var querystring = qs.parse(r.headers.location.split('?')[1]); - expect(querystring).to.have.property('RelayState'); - expect(querystring.RelayState).to.equal(server.relayState); - }); - }); describe('samlp request with custom xml', function () { @@ -264,7 +313,7 @@ describe('samlp (functional tests)', function () { followRedirect: false, uri: 'http://localhost:5051/login-custom-request-template' }, function (err, resp, b){ - if(err) return callback(err); + if(err) return done(err); r = resp; bod = b; done(); @@ -316,7 +365,7 @@ describe('samlp (functional tests)', function () { followRedirect: false, uri: 'http://localhost:5051/login-idp-with-querystring' }, function (err, resp, b){ - if(err) return callback(err); + if(err) return done(err); r = resp; bod = b; done(); From 6f028462ce2eb833143d76ba367727884fbc1d5e Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 11 Nov 2015 19:25:28 -0300 Subject: [PATCH 131/203] 2.3.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 44cba6a..6a1166d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.2.1", + "version": "2.3.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 56ebd059a8ec3058118bdd3de7fcbb9d6fd2b14d Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 19 Nov 2015 12:32:54 -0300 Subject: [PATCH 132/203] updated to passport@0.3.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 6a1166d..23ba4da 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "cryptiles": "~0.2.2", "ejs": "~0.8.3", "jsonwebtoken": "~5.0.4", - "passport": "0.1.x", + "passport": "^0.3.2", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", "xml-encryption": "~0.7.2", "xml2js": "0.1.x", From 55cf1e9a38756a25958c76ce43637164acf6c5d4 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 19 Nov 2015 12:33:00 -0300 Subject: [PATCH 133/203] 2.4.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 23ba4da..0e605c4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.3.0", + "version": "2.4.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From fbfeee4434b36c345fd194869bbef7bced38d9ff Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 19 Nov 2015 14:21:38 -0300 Subject: [PATCH 134/203] use passport-strategy instead of passport --- lib/passport-wsfed-saml2/strategy.js | 18 +++++++++--------- package.json | 5 +++-- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 98dbfd1..0568547 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -1,12 +1,12 @@ -var passport = require('passport'); var util = require('util'); var xmldom = require('xmldom'); var jwt = require('jsonwebtoken'); +var Strategy = require('passport-strategy'); var saml = require('./saml'); var wsfed = require('./wsfederation'); var samlp = require('./samlp'); -function Strategy (options, verify) { +function WsFedSaml2Strategy (options, verify) { if (typeof options === 'function') { verify = options; options = {}; @@ -21,7 +21,7 @@ function Strategy (options, verify) { this.name = 'wsfed-saml2'; - passport.Strategy.call(this); + Strategy.call(this); this._verify = verify; @@ -35,9 +35,9 @@ function Strategy (options, verify) { this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); } -util.inherits(Strategy, passport.Strategy); +util.inherits(WsFedSaml2Strategy, Strategy); -Strategy.prototype._authenticate_saml = function (req) { +WsFedSaml2Strategy.prototype._authenticate_saml = function (req) { var self = this; if (req.body.wresult.indexOf('<') === -1) { @@ -70,7 +70,7 @@ Strategy.prototype._authenticate_saml = function (req) { }); }; -Strategy.prototype._authenticate_jwt = function (req) { +WsFedSaml2Strategy.prototype._authenticate_jwt = function (req) { var self = this; var token = req.body.wresult; @@ -95,7 +95,7 @@ Strategy.prototype._authenticate_jwt = function (req) { }); }; -Strategy.prototype.authenticate = function (req, opts) { +WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { var self = this; var protocol = opts.protocol || this.options.protocol; var authzParams = this.authorizationParams(opts); @@ -166,8 +166,8 @@ Strategy.prototype.authenticate = function (req, opts) { } }; -Strategy.prototype.authorizationParams = function(options) { +WsFedSaml2Strategy.prototype.authorizationParams = function(options) { return options; }; -module.exports = Strategy; +module.exports = WsFedSaml2Strategy; diff --git a/package.json b/package.json index 0e605c4..d82fb88 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "cryptiles": "~0.2.2", "ejs": "~0.8.3", "jsonwebtoken": "~5.0.4", - "passport": "^0.3.2", + "passport-strategy": "^1.0.0", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", "xml-encryption": "~0.7.2", "xml2js": "0.1.x", @@ -40,7 +40,8 @@ "saml": "~0.4.4", "wsfed": "~0.3.5", "should": "~1.1.0", - "samlp": "~0.4.3" + "samlp": "~0.4.3", + "passport": "^0.3.2" }, "engines": { "node": ">= 0.6.0" From ba3ae5b5b24c16d603e1912e74e6070c26ad18cc Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 19 Nov 2015 15:17:58 -0300 Subject: [PATCH 135/203] 2.5.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d82fb88..13c51d8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.4.0", + "version": "2.5.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 96004921bc9cb811d0f0d9be77490b4291123b7f Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 28 Dec 2015 12:27:09 -0300 Subject: [PATCH 136/203] xml-encryption@0.7.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 13c51d8..5809e11 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,7 @@ "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", - "xml-encryption": "~0.7.2", + "xml-encryption": "~0.7.4", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", "xpath": "0.0.5", From 50c886773fc42882c513dd2c896b28eddc5d9b66 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 28 Dec 2015 12:27:18 -0300 Subject: [PATCH 137/203] 2.5.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 5809e11..67607b0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.5.0", + "version": "2.5.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 6cdffa98b41c23e8095cb677a6bd3387448b699f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20G=C3=BCerere?= Date: Tue, 12 Jan 2016 17:27:59 -0430 Subject: [PATCH 138/203] Updates license and edits readme License is updated to latest approved version and the readme now includes the issue reporting, author and license sections. --- LICENSE | 27 ++++++++++++++------------- README.md | 16 ++++++++++++---- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/LICENSE b/LICENSE index 2875689..0d65171 100644 --- a/LICENSE +++ b/LICENSE @@ -1,20 +1,21 @@ -(The MIT License) +The MIT License (MIT) -Copyright (c) 2011 Matias Woloski (Auth10) +Copyright (c) 2015 Auth0, Inc. (http://auth0.com) -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index c6408c7..c3b16a3 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Passport-wsfed-saml2 has been tested to work with both [Windows Azure Active Dir ### Configure strategy -This example utilizes a development namespace (auth10-dev) on [Windows Azure Access Control Service](https://www.windowsazure.com/en-us/home/features/identity/) and is using Google as the only identity provider configured for the sample application. +This example utilizes a development namespace (auth10-dev) on [Windows Azure Access Control Service](https://www.windowsazure.com/en-us/home/features/identity/) and is using Google as the only identity provider configured for the sample application. ```javascript @@ -55,7 +55,7 @@ app.post('/login/callback', ### Jwt -Although this started as wsfed&saml we added support for wsfed&jwt. Usage is +Although this started as wsfed&saml we added support for wsfed&jwt. Usage is ~~~javascript passport.use(new wsfedsaml2( @@ -77,6 +77,14 @@ passport.use(new wsfedsaml2( )); ~~~ -### License +## Issue Reporting -MIT 2013 - AUTH10 LLC +If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. + +## Author + +[Auth0](auth0.com) + +## License + +This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info. From 2d332a4c7c474ca65b05c4c032af62c305198af5 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 28 Jan 2016 15:19:18 -0300 Subject: [PATCH 139/203] point to specified tarball of xml-crypto --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 67607b0..7e9f28b 100644 --- a/package.json +++ b/package.json @@ -23,7 +23,7 @@ "ejs": "~0.8.3", "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", - "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/master", + "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/ba70a50d60acc6ff1d45a3f377349af0a3d735d9", "xml-encryption": "~0.7.4", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", From 30d5897c72d0687b3283be38d750c7d223348a1e Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 28 Jan 2016 15:19:40 -0300 Subject: [PATCH 140/203] 2.6.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 7e9f28b..fa15626 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.5.1", + "version": "2.6.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 6215e7a86b35346356b729f300d6d5d178c1af9c Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 1 Feb 2016 20:53:35 -0300 Subject: [PATCH 141/203] support SAMLResponse with signed assertion and "ds" prefix defined only at the root of the SAMLResponse --- lib/passport-wsfed-saml2/samlp.js | 13 ++++++++++++ package.json | 2 +- test/fixture/samlp-server.js | 33 +++++++++++++++++++++++++++++++ test/samlp.tests.js | 22 +++++++++++++++++++++ 4 files changed, 69 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 57910f7..4fa4ccb 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -301,6 +301,19 @@ Samlp.prototype = { return callback(new Error('neither the response nor the assertion are signed')); } + if (isAssertionSigned) { + var assertionSignature = xpath.select(samlAssertionSignaturePath, assertion)[0]; + if (assertionSignature.prefix) { + try { + var dsigNamespace = assertionSignature.lookupNamespaceURI(assertionSignature.prefix); + if (dsigNamespace && !assertionSignature.getAttribute('xmlns:' + assertionSignature.prefix)) { + // saml assertion signature has a prefix but namespace is defined on parent, copy it to assertion + assertion.setAttribute('xmlns:' + assertionSignature.prefix, dsigNamespace); + } + } catch(e) {} + } + } + if (isResponseSigned) { self._saml.validateSignature(samlResponse, { cert: self.options.cert, diff --git a/package.json b/package.json index fa15626..3c4024c 100644 --- a/package.json +++ b/package.json @@ -23,7 +23,7 @@ "ejs": "~0.8.3", "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", - "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/ba70a50d60acc6ff1d45a3f377349af0a3d735d9", + "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/5e0b9547076a9cdf82e4189f54fd9212a1656a09", "xml-encryption": "~0.7.4", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 66d29b8..9229857 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -162,6 +162,20 @@ passport.use('samlp-okta', new Strategy( }) ); +function pemToCert(pem) { + // if certificate doesn't have ---- begin cert --- just return the pem + if (!/-----BEGIN CERTIFICATE-----/.test(pem.toString())) { + return pem.toString(); + } + + var cert = /-----BEGIN CERTIFICATE-----([^-]*)-----END CERTIFICATE-----/g.exec(pem.toString()); + if (cert.length > 0) { + return cert[1].replace(/[\n|\r\n]/g, ''); + } + + return null; +} + passport.use('samlp-with-utf8', new Strategy( { path: '/callback', @@ -175,6 +189,18 @@ passport.use('samlp-with-utf8', new Strategy( }) ); +passport.use('samlp-with-dsig-at-root', new Strategy( + { + path: '/callback', + checkExpiration: false, // we are using a precomputed assertion generated from a sample idp + checkAudience: false, + cert: pemToCert(fs.readFileSync(path.join(__dirname, '../test-auth0.pem'))) + }, + function(profile, done) { + return done(null, profile); + }) +); + var fakeUser = { id: '12345678', @@ -301,6 +327,13 @@ module.exports.start = function(options, callback){ } ); + app.post('/callback/samlp-with-dsig-at-root', + passport.authenticate('samlp-with-dsig-at-root', { protocol: 'samlp' }), + function(req, res) { + res.json(req.user); + } + ); + var server = http.createServer(app).listen(5051, callback); module.exports.close = server.close.bind(server); }; diff --git a/test/samlp.tests.js b/test/samlp.tests.js index abdd1e0..d72440e 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -174,6 +174,28 @@ describe('samlp (functional tests)', function () { }); }); + describe.skip('SAMLResponse with signed assertion and "ds" prefix defined only at the root of the SAMLResponse', function () { + var r, bod; + + // samlResponse was not properly generated + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-with-dsig-at-root', + form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0iX2ViMGQ0MzZkNzQyMTAyMmE0ZWZmIiBJblJlc3BvbnNlVG89Il8yTjVHR3Aybm1JVENGYmN5R1NLamFRM2FpNkt4OWNBd0RoQkdYMWdBSnl2Q3JsSnZvRVFkakVnVHNmYWpnTTltN2oudy5JOUZ6MWRkVmpaOWxLWkNoY3NwdHA5a3hrQ3VxY3diZU5lLmxKeVZRcEI4aVNhNGF3RllzajlBNXI3UkViNUpwSEg3MkI2ZmVndUhGRlBFOE1hazN1NGhTRUtsOV84bW9pWExkQTU3V1ZoendhOFhZeG40bURzaFNwM1hiMFBFWktPREhNdHhsVlhheWNHWXVNZ0MyMEdwZkNBIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMi0wMVQyMjoyNDo1MloiIERlc3RpbmF0aW9uPSJodHRwczovL2F1dGgwLWRldi1lZC5teS5zYWxlc2ZvcmNlLmNvbSI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPnVybjpmaXh0dXJlLXRlc3Q8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBWZXJzaW9uPSIyLjAiIElEPSJfSW40RjVGbmlPNDV5TkxaVTRrTTdibTZOTHRyYVV3c0oiIElzc3VlSW5zdGFudD0iMjAxNi0wMi0wMVQyMjoyNDo1Mi40MzlaIj48c2FtbDpJc3N1ZXI+dXJuOmZpeHR1cmUtdGVzdDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjX0luNEY1Rm5pTzQ1eU5MWlU0a003Ym02Tkx0cmFVd3NKIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+TGJjL2NSanIxVjBIUzZaQTVWTzR5cTdUTXZIK0g4eURqdzJjU0lHMU9ZYz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+ZzlibGRydDlVTks0bU5NbEl2bFhQSzFUa2ZZaStHUXlwTThzTHE1Z2VkQmZSMDU2cW1qUnpLckRzOEhYMHdVMXZKaDN6cnNOcHcwR055aVkvamlhOGpQQkJkc3dqTHBDTTUzNDF5aVRyNXFDNzhvRFk0ZGNZOTZCN1N5UCs3VXI2MVNGbTNOUWtrUDd6QnFUYnZycW9vWHU1RVBNUjdSMHozdEptZ25BZnpDbytvS3h3bEE2cmF0d2xXWldQQmtYRzVmYmM5MEtIZnhaS2ZLOGVWTlRRajJUTmlrYzZaaFFsWEI5aG05ekNqMDNoRjNlL29vV1NTaUNlOUwvM0RmSENpbk1jU2ozMjJLc1dOZmNBVEI4dWVwcncvWll3OUFwYmRld2hUcyt5NFlGdGNzQktpei83ZUlmTmJHcERQTUtVN3lxeEFVR2w2WmJ1TmNON2dlN2h3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVEekNDQXZlZ0F3SUJBZ0lKQUxyOUh3Z3JRN0dlTUEwR0NTcUdTSWIzRFFFQkJRVUFNR0l4R0RBV0JnTlZCQU1URDJGMWRHZ3dMbUYxZEdnd0xtTnZiVEVTTUJBR0ExVUVDaE1KUVhWMGFEQWdURXhETVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtWMkZ6YUdsdVozUnZiakVRTUE0R0ExVUVCeE1IVW1Wa2JXOXVaREFlRncweE1qRXlNamt4TlRNd05EZGFGdzB4TXpBeE1qZ3hOVE13TkRkYU1HSXhHREFXQmdOVkJBTVREMkYxZEdnd0xtRjFkR2d3TG1OdmJURVNNQkFHQTFVRUNoTUpRWFYwYURBZ1RFeERNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1YyRnphR2x1WjNSdmJqRVFNQTRHQTFVRUJ4TUhVbVZrYlc5dVpEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1aaVZtTkhpWExsZHJnYlM1ME9OTk9IN3BKMnpnNk9jU01rWVpHRFpKYk9aL1Rxd2F1QzZKT25JNyt4dGtQSnNRSFpTRkpzNFUwc3JqWkt6RENtYXoyakxBSkRTaFAyamFYbHJraTE2bkRMUEUvL0lHQWczQkpndVNtQkNXcERiU205MlY5aFNzRStNaHg2YkRhSml3OHlRK1E4aVNtMGFUUVp0cDZPNElDTXUwMEVTZGg5TkpxSUVDRUx2UDMxQURWMVhoajdJYnl5VlBERnhNdjNvbDVCeVNFOXd3d09GVXEvd3Y3WHo5TFJpVWpVelBPK0xxM09NM28vdUNEYms3akQ3WHJHVXVPeWRBTEQ4VUxzWHA0RXVETytuRmJlWEIvaUtuZFp5bnVWS29raXJ5d2wybkQySVAwL3luY2RMUVo4QnlJeXFQM0c4MmZxL2w4cDdBc0NBd0VBQWFPQnh6Q0J4REFkQmdOVkhRNEVGZ1FVSEkyclVYZUJqVHYxekFsbGFQR3JIRmNFSzBZd2daUUdBMVVkSXdTQmpEQ0JpWUFVSEkyclVYZUJqVHYxekFsbGFQR3JIRmNFSzBhaFpxUmtNR0l4R0RBV0JnTlZCQU1URDJGMWRHZ3dMbUYxZEdnd0xtTnZiVEVTTUJBR0ExVUVDaE1KUVhWMGFEQWdURXhETVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtWMkZ6YUdsdVozUnZiakVRTUE0R0ExVUVCeE1IVW1Wa2JXOXVaSUlKQUxyOUh3Z3JRN0dlTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVGQlFBRGdnRUJBRnJYSWhDeTRUNGVHcmlrYjBSMndIdi91UzU0OHIzcFp5QlYwQ0RiY1J3QXRibnBKTXZrR0ZxS1ZwNHBteW9JRFNWTksvaitzTEVzaEIyMFhmdGV6SFp5UkpiQ1VidEt2WFE2RnN4b2VaTWxOMElUWUtUYW9CWktoVXh4ajkwb3RBaE5DNThxd0dVUHF0Mkxld0poSHlMdWNLa0dKMW1RM2I1eEtaNTMyVG91Zm91SDlWTGhpZzNIMUtueFdvL3pNRDZLZThjQ2s2cU85aHR1aEkwNnMzR1FHUzFRV1F0QW1tMTdDNlRmS2dEd1FGWndocUhVVVpud0tSSDhnVTZPZ1pzdmhnVjFCN0g1bWpaY3U1N0tNaURCZWtVOU1FWTBEQ1ZUTjNXa21jVElJNjY4ekxzSnJrTlg2UEVmY2sxQU1CYlZFNnBFVUtjV3dxM3VhTHZsQVVvPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPjEyMzQ1Njc4PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE2LTAyLTAxVDIzOjI0OjUyLjQzOVoiIEluUmVzcG9uc2VUbz0iXzJONUdHcDJubUlUQ0ZiY3lHU0tqYVEzYWk2S3g5Y0F3RGhCR1gxZ0FKeXZDcmxKdm9FUWRqRWdUc2ZhamdNOW03ai53Lkk5RnoxZGRWalo5bEtaQ2hjc3B0cDlreGtDdXFjd2JlTmUubEp5VlFwQjhpU2E0YXdGWXNqOUE1cjdSRWI1SnBISDcyQjZmZWd1SEZGUEU4TWFrM3U0aFNFS2w5Xzhtb2lYTGRBNTdXVmh6d2E4WFl4bjRtRHNoU3AzWGIwUEVaS09ESE10eGxWWGF5Y0dZdU1nQzIwR3BmQ0EiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNi0wMi0wMVQyMjoyNDo1Mi40MzlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDItMDFUMjM6MjQ6NTIuNDM5WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL2F1dGgwLWRldi1lZC5teS5zYWxlc2ZvcmNlLmNvbTwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj4xMjM0NTY3ODwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5qZm9vQGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+Sm9obiBGb288L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZ2l2ZW5uYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+Sm9objwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zdXJuYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+Rm9vPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDItMDFUMjI6MjQ6NTIuNDM5WiI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should be valid signature', function(){ + expect(r.statusCode) + .to.equal(200); + }); + }); describe('invalid SAMLResponse in POST', function () { var user, r, bod, $; From 293ea2c168f6ab165f1c6ea40f9fb243dfac61e2 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Mon, 1 Feb 2016 20:57:58 -0300 Subject: [PATCH 142/203] 2.7.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3c4024c..06a0883 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.6.0", + "version": "2.7.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 1f6582e7db4aab97e6be08d4eb375dbacd681115 Mon Sep 17 00:00:00 2001 From: Sebastian Iacomuzzi Date: Tue, 23 Feb 2016 15:43:05 -0300 Subject: [PATCH 143/203] Added strategies for ADFS WS-Fed and SAMLp credits to @nzpcmad --- README.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/README.md b/README.md index c3b16a3..1aec49a 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,45 @@ passport.use(new wsfedsaml2( )); ~~~ +### Configure strategy for ADFS (WS-Fed) + +This example utilizes a strategy with ADFS using WS-Fed. + +```javascript +passport.use('wsfed-saml2', new wsfedsaml2({ + // ADFS RP identifier + realm: 'urn:node:wsfedapp', + identityProviderUrl: 'https://my-adfs/adfs/ls', + // ADFS token signing certificate + thumbprint: '5D27....D27E' + // or options.cert: fs.readFileSync("adfs_signing_key.cer") +}, function (profile, done) { + // ... +})); + +``` + +### Configure strategy for ADFS (SAMLp) + +This example utilizes a strategy using SAMLp and RP token encryption. + +```javascript +passport.use('wsfed-saml2', new wsfedsaml2({ + // ADFS RP identifier + realm: 'urn:node:samlapp', + identityProviderUrl: 'https://my-adfs/adfs/ls', + // ADFS token signing certificate + thumbprint: '5D27...D27E', + // or options.cert: fs.readFileSync("adfs_signing_key.cer") + protocol: "samlp", + // This is the private key (use case where ADFS + // is configured for RP token encryption) + decryptionKey: fs.readFileSync("server.key") +}, function (profile, done) { + // ... +})); +``` + ## Issue Reporting If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. From 1b994c1b929efe8989924bf4b01b722664f8c32b Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 24 Feb 2016 20:42:15 -0300 Subject: [PATCH 144/203] should validate thumbprint always for embedded signatures (even if cert is passed) --- lib/passport-wsfed-saml2/saml.js | 2 ++ test/interop.tests.js | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index f7e6e23..1070b07 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -63,6 +63,8 @@ SAML.prototype.validateSignature = function (xml, options, callback) { shasum.update(der); self.calculatedThumbprint = shasum.digest('hex'); + // using embedded cert, so options.cert is not used anymore + delete options.cert; return self.certToPEM(base64cer); } } diff --git a/test/interop.tests.js b/test/interop.tests.js index 47dff72..0f69d4d 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -267,6 +267,32 @@ describe('interop', function () { } }); + it('should validate thumbprint always for embedded signatures (even if cert is passed)', function (done) { + var response = 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJfZTU3YjcwNmU3ZWU0YWE4Y2Y2MjQiICBJblJlc3BvbnNlVG89Il9jMTQwZDE1ZjU2Y2Q1MzBkMzEzOCIgIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE2LTAyLTI0VDIxOjEyOjAwWiIgIERlc3RpbmF0aW9uPSJodHRwczovL3dwdGVzdC5hdXRoMC5jb20vbG9naW4vY2FsbGJhY2s/Y29ubmVjdGlvbj1QZXBlU0FNTCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPnVybjphdXRoMC1waHAuYXV0aDAuY29tPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgVmVyc2lvbj0iMi4wIiBJRD0iX2ptTjcwOGRIVEZSd1JLenR3aGtrNGFnNkFJdG9NNDYxIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDItMjRUMjE6MTI6MDAuMjI5WiI+PHNhbWw6SXNzdWVyPnVybjphdXRoMC1waHAuYXV0aDAuY29tPC9zYW1sOklzc3Vlcj48U2lnbmF0dXJlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48U2lnbmVkSW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48UmVmZXJlbmNlIFVSST0iI19qbU43MDhkSFRGUndSS3p0d2hrazRhZzZBSXRvTTQ2MSI+PFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48RGlnZXN0VmFsdWU+UDgrNGMzeFNMbjFrelRSSUMzYUJ4OFJFSndJPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5TZWtjRThaZnFsbVhlNHBEY05pbUI3MGRxQzF1SW5HZ1I2S2NsUzdCNGFvNFBERVlwclhiSVNPZ0E0bjlOVTdreTRnNzBxeitUcDQ2dmU5MU9OTThCM2tXR0ErQXNiUjRZNDBBRjZqaGgvRWhrcVhRKzV6QVlhajBoNEpKYm1Xb2JYdW9xNlpIZW0zZDdveWxZaWV0R2FTOUl6V3Y0MmIyQ3p1eXZCTkxIZk4vZUtqOVRROFBrUDBsSi9seTZrVHBVL25OYTZOR0NxbEJFb2dHeDl0TXY0Sjl4UG9uYXpQYXB6elJlQVh2dTY0Y3dGa2VXYU8ybUhoaitZT3lHVUhtRWpMbHVwOGhnTFhhcTdST1p1czVEL2ZxS0t5bU9BdWR2b01PazBuVktqeUpyTStnc3JORWZXdTJqWkx4ZitzSXlhcnRMU3Q5c2VzVW44RDY5OS9ENlE9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5Q2VydGlmaWNhdGU+TUlJQzdqQ0NBZGFnQXdJQkFnSUpUU3NsTkhLWG9ubGJNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CNHhIREFhQmdOVkJBTVRFMkYxZEdnd0xYQm9jQzVoZFhSb01DNWpiMjB3SGhjTk1UWXdNVEUxTVRZMU5USTJXaGNOTWprd09USXpNVFkxTlRJMldqQWVNUnd3R2dZRFZRUURFeE5oZFhSb01DMXdhSEF1WVhWMGFEQXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0RlZ4Rm11OFpGYngyM2JONklmTTZia3VoUEUrbG1QTkYxSHBCR1JPSGh5Q1RrVDA5OXRTN1ZJNHVWZEdCT3BYN3NEUXkvYXpsU2FkQ3NQWlNnQ2ZTU3lEcUZIWWI0eDRjTTJOcU9RQzdhdTNwRVVMOEhKWnhneXZMYkV1dENDTkgwR25IYTRHZWx4cldvNTl1RlNpeUJxL3AzZ2ttY0c0UDJPeXRGMDJ0ekk5SWFUL2Q5SStTQkQrUDA1TGx4MktwYVErU3JOUGF0QUlxaEJTb1Q4UThGSm84U0hzN0hsYTZRWkhyWFBQcHUxUmVra1NpYStEZG51YjViMEF1Sm9JbzNKUzU2WTZGN05RTncyeFlFaFBLMjdUV2tBZzJsNFl3WEM5RDN6d0RuaUJJSkNaRm9tOVlQRlhITXhBcUx0NVNFaFJlOVZnS1VwOFk1K3pURUJ5c1FJREFRQUJveTh3TFRBTUJnTlZIUk1FQlRBREFRSC9NQjBHQTFVZERnUVdCQlE0Y1hmaXZjQkNPYi9wN3ZEdFhhMGE2blhZZlRBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQUNlUVRWdVlGbFVCOFVVMTVsOVhSR1p2cWlFTDlZNVN3M1lQWjVZREhBclVEWnNOM2pzRG9qN3ErQjVBQTlOSWpHMlQ0cUJVZ3hzTHJPV2lPaTRYUnV0cHlZTzZRMnZ1N3JKYlNUcThZZGxaYm52cjhURHZDT3ZveXJPeE94WXRIWlEzTEV0aWlVazFPVWhLU0VzNWJsRU13ZXk2dFAzWDNsRWRRVk9tSTJoc1Jla00wWi93Z3lZZGliM2tuU2tETDhyVlBraVFITmhWS3hpK3pvd09Uc09ZTDRHYUFvNUZSQ1dEcjZJaGlHM2tsM2ZvOHpKd1d4dlJyaklQMmJ5RmtXdTBLS2owdkNYTVYvdGdwZ1lHOE5QakVzb3hxNlAwMUhXamxwd1lWSi84YVpsK2YxS21kTUJoalMrTzU0a1JBNXFWMkc0UWFmRFFlQmIvN2UyWEJKQT09PC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI+YXV0aDB8NTZiMTEwYjhkOWQzMjdlNzA1ZTFkMmRhPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE2LTAyLTI0VDIyOjEyOjAwLjIyOVoiIFJlY2lwaWVudD0iaHR0cHM6Ly93cHRlc3QuYXV0aDAuY29tL2xvZ2luL2NhbGxiYWNrP2Nvbm5lY3Rpb249UGVwZVNBTUwiIEluUmVzcG9uc2VUbz0iX2MxNDBkMTVmNTZjZDUzMGQzMTM4Ii8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDItMjRUMjE6MTI6MDAuMjI5WiIgTm90T25PckFmdGVyPSIyMDE2LTAyLTI0VDIyOjEyOjAwLjIyOVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+dXJuOmF1dGgwOndwdGVzdDpQZXBlU0FNTDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5hdXRoMHw1NmIxMTBiOGQ5ZDMyN2U3MDVlMWQyZGE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+Z2VybWFuLmxlbmFAZ21haWwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5nZXJtYW4ubGVuYUBnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvdXBuIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+Z2VybWFuLmxlbmFAZ21haWwuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9pZGVudGl0aWVzL2RlZmF1bHQvcHJvdmlkZXIiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5hdXRoMDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vaWRlbnRpdGllcy9kZWZhdWx0L2Nvbm5lY3Rpb24iPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5Vc2VybmFtZS1QYXNzd29yZC1BdXRoZW50aWNhdGlvbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vaWRlbnRpdGllcy9kZWZhdWx0L2lzU29jaWFsIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+ZmFsc2U8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL2VtYWlsX3ZlcmlmaWVkIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+ZmFsc2U8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL2NsaWVudElEIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+U3prUHh4QUdEMXdmek5PYTNYWWlnMjVaWkhMbWhZd1g8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL3VwZGF0ZWRfYXQiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5XZWQgRmViIDI0IDIwMTYgMjE6MTI6MDAgR01UKzAwMDAgKFVUQyk8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL3BpY3R1cmUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5odHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci8wMDMxZDg1Yjg0MWViOTYwMWFmMDZiY2MyOTc4Y2NmMj9zPTQ4MCZhbXA7cj1wZyZhbXA7ZD1odHRwcyUzQSUyRiUyRmNkbi5hdXRoMC5jb20lMkZhdmF0YXJzJTJGZ2UucG5nPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9uaWNrbmFtZSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOmFueVR5cGUiPmdlcm1hbi5sZW5hPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9pZGVudGl0aWVzIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+W29iamVjdCBPYmplY3RdPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9jcmVhdGVkX2F0Ij48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+VHVlIEZlYiAwMiAyMDE2IDIwOjI1OjI4IEdNVCswMDAwIChVVEMpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDItMjRUMjE6MTI6MDAuMjI5WiIgU2Vzc2lvbkluZGV4PSJfRzc3b1BnaVlyQ3Jpem1od3hPTkRjd0NNNFB6NEM3SEUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+'; + var cert = 'MIIDDzCCAfegAwIBAgIJAP4bcs4flyQjMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNVBAMME2dsZW5hZGVtby5hdXRoMC5jb20wHhcNMTUwNjE3MTUzMjI0WhcNMjkwMjIzMTUzMjI0WjAeMRwwGgYDVQQDDBNnbGVuYWRlbW8uYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtbeKIeZMg8V1AgNrd8ufEmMzZbDa+olq9ftUlDlpdzrt5AB7GJ87v7tNIP1EYiqNZ+2Jlat660Tz6omC3SCz3lzaugRvim4/ZrltNjSgtOmIAlIx0IfdGDeVMSJXv9P/iPECZ2iHsVl8n4G4gAwinwK4hbRe0D+LQJJUulUr9Bp4NeBKzxh3Ds7nXRBPhVMUPP/IZTr47mLGrJaQQvPy1rxfGTuUPPWtr9MckxtZ9oIndN0r1urlSNOetoGjcWOYC3KwBVaUW1gxr1Yrip9W2XxidO8r0AI1pPepJMc26EFznfFfADbubSXQilYxgOp8NNfjc6jESkaWxLUYa1QmpQIDAQABo1AwTjAdBgNVHQ4EFgQUS+AG8m9k8PSUPPzeDkzhhWJ7DpgwHwYDVR0jBBgwFoAUS+AG8m9k8PSUPPzeDkzhhWJ7DpgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAIu0zdkl1kdmuJ6xOUEZDvE20epuHdoqvaJr9w4y7S8pIdvQ7qMZfPQbW5D6gr0Q6MkoycD5Nx6wS9W4iQ00JcYA//y8rB9mjsOPBXcjCVqk/icM6qDmki5RfAg32t4YsgkuxxWMbRghzMagT0NcoOZqscwXPV6E6dJc9xp/f0Gpka5laeFuHEyZQ8003P7prf+qYa333DS0Ws49vkXtHRgrYXsOoX0k2AiepIi4bt9CbxR/xKwcz8L0Qs+Aj1W+lUzKqerl3ctDrhls9/83yPFFyRBvhiqd2osh6H3Qb91n3Gdmcrh1dILWL7p2gQVxJ01wEWEMfYClmtPpA1ukUPg=='; + var samlOptions = { + cert: cert, + thumbprints: ['ANOTHER_THUMB'], + realm: 'urn:auth0:wptest:PepeSAML', + checkExpiration: false + }; + + var samlpOptions = { + cert: cert, + }; + + var sm = new SamlPassport(samlOptions); + var sp = new samlp(samlpOptions, sm); + + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + function (err){ + console.log(err); + assert.ok(err); + expect(err.toString()).to.equal('Error: Invalid thumbprint (configured: ANOTHER_THUMB. calculated: CD78CA598A6FB28A4D70EF6846C1141666A24240)'); + done(); + }); + }); + it('should validate an assertion from a WS-Fed STS using WS-Trust 1.3 namespaces', function (done) { var options = { From 9e0f4396383689fd7b3b0d288c39e4732af51285 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 24 Feb 2016 20:42:23 -0300 Subject: [PATCH 145/203] 2.8.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 06a0883..d38ddd4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.7.0", + "version": "2.8.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From 35ddfc47ddc3674301649ad2e8c830f32999fc70 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Fri, 18 Mar 2016 14:53:47 -0300 Subject: [PATCH 146/203] saml: fixed normalization of special characters according to spec --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d38ddd4..461f1de 100644 --- a/package.json +++ b/package.json @@ -23,7 +23,7 @@ "ejs": "~0.8.3", "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", - "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/5e0b9547076a9cdf82e4189f54fd9212a1656a09", + "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", "xml-encryption": "~0.7.4", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", From 7c8325e6d9e7fbb84041ddcd05e974525c7b4cb9 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Fri, 18 Mar 2016 14:53:53 -0300 Subject: [PATCH 147/203] 2.9.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 461f1de..bdfc619 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.8.0", + "version": "2.9.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From d3e1c997a5ec4a8be0fb3da0dc837cf59b42d45a Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 31 Mar 2016 14:34:15 -0300 Subject: [PATCH 148/203] SAMLRequest: Signature element must be located after Issuer --- lib/passport-wsfed-saml2/samlp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 4fa4ccb..c3a4ece 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -128,7 +128,7 @@ Samlp.prototype = { }; sig.signingKey = options.signingKey.key; - sig.computeSignature(SAMLRequest); + sig.computeSignature(SAMLRequest, "//*[local-name(.)='Issuer']"); // Signature element must be located after Issuer SAMLRequest = trimXml(sig.getSignedXml()); } From 086bd478a4ec50cd3211898c155719c28657838c Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 31 Mar 2016 14:34:23 -0300 Subject: [PATCH 149/203] 2.10.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index bdfc619..0c6d2f4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.9.0", + "version": "2.10.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec" From c5b10a4c9b560e1d9a70b2c5b3cdd0d62825a5f7 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 5 Apr 2016 18:28:30 -0300 Subject: [PATCH 150/203] implement pluggable state store --- lib/passport-wsfed-saml2/saml.js | 1 - lib/passport-wsfed-saml2/state/null.js | 12 + lib/passport-wsfed-saml2/state/session.js | 85 +++++ lib/passport-wsfed-saml2/strategy.js | 177 +++++++-- package.json | 6 +- test/state/samlp.state.custom.tests.js | 354 ++++++++++++++++++ test/state/samlp.state.session.tests.js | 432 +++++++++++++++++++++ test/state/wsfed.state.custom.tests.js | 362 ++++++++++++++++++ test/state/wsfed.state.session.tests.js | 437 ++++++++++++++++++++++ 9 files changed, 1824 insertions(+), 42 deletions(-) create mode 100644 lib/passport-wsfed-saml2/state/null.js create mode 100644 lib/passport-wsfed-saml2/state/session.js create mode 100644 test/state/samlp.state.custom.tests.js create mode 100644 test/state/samlp.state.session.tests.js create mode 100644 test/state/wsfed.state.custom.tests.js create mode 100644 test/state/wsfed.state.session.tests.js diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 1070b07..af229ed 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -1,6 +1,5 @@ // credits to: https://github.com/bergie/passport-saml -var xml2js = require('xml2js'); var xmlCrypto = require('xml-crypto'); var crypto = require('crypto'); var xmldom = require('xmldom'); diff --git a/lib/passport-wsfed-saml2/state/null.js b/lib/passport-wsfed-saml2/state/null.js new file mode 100644 index 0000000..bf8cc75 --- /dev/null +++ b/lib/passport-wsfed-saml2/state/null.js @@ -0,0 +1,12 @@ +function NullStore(options) { +} + +NullStore.prototype.store = function(req, cb) { + cb(); +}; + +NullStore.prototype.verify = function(req, providedState, cb) { + cb(null, true); +}; + +module.exports = NullStore; diff --git a/lib/passport-wsfed-saml2/state/session.js b/lib/passport-wsfed-saml2/state/session.js new file mode 100644 index 0000000..33319e0 --- /dev/null +++ b/lib/passport-wsfed-saml2/state/session.js @@ -0,0 +1,85 @@ +var uid = require('uid2'); + +/** + * Creates an instance of `SessionStore`. + * + * This is the state store implementation used when + * the `state` option is enabled. It generates a random state and stores it in + * `req.session` and verifies it when the service provider redirects the user + * back to the application. + * + * This state store requires session support. If no session exists, an error + * will be thrown. + * + * Options: + * + * - `key` The key in the session under which to store the state + * + * @constructor + * @param {Object} options + * @api public + */ +function SessionStore(options) { + if (!options.key) { throw new TypeError('Session-based state store requires a session key'); } + this._key = options.key; +} + +/** + * Store request state. + * + * This implementation simply generates a random string and stores the value in + * the session, where it will be used for verification when the user is + * redirected back to the application. + * + * @param {Object} req + * @param {Function} callback + * @api protected + */ +SessionStore.prototype.store = function(req, callback) { + if (!req.session) { return callback(new Error('Authentication requires session support when using state. Did you forget to use express-session middleware?')); } + + var key = this._key; + var state = uid(24); + if (!req.session[key]) { req.session[key] = {}; } + req.session[key].state = state; + callback(null, state); +}; + +/** + * Verify request state. + * + * This implementation simply compares the state parameter in the request to the + * value generated earlier and stored in the session. + * + * @param {Object} req + * @param {String} providedState + * @param {Function} callback + * @api protected + */ +SessionStore.prototype.verify = function(req, providedState, callback) { + if (!req.session) { return callback(new Error('Authentication requires session support when using state. Did you forget to use express-session middleware?')); } + + var key = this._key; + if (!req.session[key]) { + return callback(null, false, { message: 'Unable to verify authorization request state.' }); + } + + var state = req.session[key].state; + if (!state) { + return callback(null, false, { message: 'Unable to verify authorization request state.' }); + } + + delete req.session[key].state; + if (Object.keys(req.session[key]).length === 0) { + delete req.session[key]; + } + + if (state !== providedState) { + return callback(null, false, { message: 'Invalid authorization request state.' }); + } + + return callback(null, true); +}; + +// Expose constructor. +module.exports = SessionStore; diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 0568547..ffd7972 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -1,4 +1,5 @@ var util = require('util'); +var url = require('url'); var xmldom = require('xmldom'); var jwt = require('jsonwebtoken'); var Strategy = require('passport-strategy'); @@ -6,6 +7,9 @@ var saml = require('./saml'); var wsfed = require('./wsfederation'); var samlp = require('./samlp'); +var NullStateStore = require('./state/null'); +var SessionStateStore = require('./state/session'); + function WsFedSaml2Strategy (options, verify) { if (typeof options === 'function') { verify = options; @@ -33,11 +37,23 @@ function WsFedSaml2Strategy (options, verify) { } this._wsfed = new wsfed(options.realm, options.homeRealm, options.identityProviderUrl, options.wreply); + + this._key = options.sessionKey || (this.options.protocol + ':' + url.parse(options.identityProviderUrl || '').hostname); + + if (options.store) { + this._stateStore = options.store; + } else { + if (options.state) { + this._stateStore = new SessionStateStore({ key: this._key }); + } else { + this._stateStore = new NullStateStore(); + } + } } util.inherits(WsFedSaml2Strategy, Strategy); -WsFedSaml2Strategy.prototype._authenticate_saml = function (req) { +WsFedSaml2Strategy.prototype._authenticate_saml = function (req, state) { var self = this; if (req.body.wresult.indexOf('<') === -1) { @@ -63,6 +79,8 @@ WsFedSaml2Strategy.prototype._authenticate_saml = function (req) { return self.fail(info); } + info = info || {}; + if (state) { info.state = state; } self.success(user, info); }; @@ -70,7 +88,7 @@ WsFedSaml2Strategy.prototype._authenticate_saml = function (req) { }); }; -WsFedSaml2Strategy.prototype._authenticate_jwt = function (req) { +WsFedSaml2Strategy.prototype._authenticate_jwt = function (req, state) { var self = this; var token = req.body.wresult; @@ -88,6 +106,8 @@ WsFedSaml2Strategy.prototype._authenticate_jwt = function (req) { return self.fail(info); } + info = info || {}; + if (state) { info.state = state; } self.success(user, info); }; @@ -98,58 +118,137 @@ WsFedSaml2Strategy.prototype._authenticate_jwt = function (req) { WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { var self = this; var protocol = opts.protocol || this.options.protocol; - var authzParams = this.authorizationParams(opts); + var meta = { + identityProviderUrl: this.options.identityProviderUrl + }; + + var storeState = function (stored) { + try { + var arity = self._stateStore.store.length; + if (arity === 3) { + self._stateStore.store(req, meta, stored); + } else { // arity == 2 + self._stateStore.store(req, stored); + } + } catch (ex) { + return self.error(ex); + } + }; + + var verifyState = function (state, loaded) { + try { + var arity = self._stateStore.verify.length; + if (arity === 4) { + self._stateStore.verify(req, state, meta, loaded); + } else { // arity == 3 + self._stateStore.verify(req, state, loaded); + } + } catch (ex) { + return self.error(ex); + } + }; function executeWsfed(req) { if (req.body && req.method === 'POST' && req.body.wresult) { // We have a response, get the user identity out of it - if (self._jwt) { - self._authenticate_jwt(req); - } else { - self._authenticate_saml(req); - } + var loaded = function (err, ok, state) { + if (err) { return self.error(err); } + if (!ok) { return self.fail(state, 403); } + + if (self._jwt) { + self._authenticate_jwt(req, state); + } else { + self._authenticate_saml(req, state); + } + }; + + verifyState(req.body.wctx, loaded); } else { // Initiate new ws-fed authentication request - var idpUrl = self._wsfed.getRequestSecurityTokenUrl(authzParams); - self.redirect(idpUrl); + var authzParams = self.authorizationParams(opts); + var redirectToIdp = function () { + var idpUrl = self._wsfed.getRequestSecurityTokenUrl(authzParams); + self.redirect(idpUrl); + }; + + var state = opts.wctx; + if (state) { + authzParams.wctx = state; + redirectToIdp(); + } else { + var stored = function (err, state) { + if (err) { return self.error(err); } + if (state) { authzParams.wctx = state; } + redirectToIdp(); + }; + + storeState(stored); + } } } function executeSamlp(req) { if (req.body && req.method === 'POST' && req.body.SAMLResponse) { - var samlResponse = self._samlp.decodeResponse(req); - if (samlResponse.indexOf('<') === -1) { - return self.fail('SAMLResponse should be a valid xml', 400); - } - // We have a response, get the user identity out of it - var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); - self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { - if (err) return self.fail(err, err.status || 400); - - var verified = function (err, user, info) { - if (err) return self.error(err); - if (!user) return self.fail(info); - self.success(user, info); - }; + var loaded = function (err, ok, state) { + if (err) { return self.error(err); } + if (!ok) { return self.fail(state, 403); } + + var samlResponse = self._samlp.decodeResponse(req); + if (samlResponse.indexOf('<') === -1) { + return self.fail('SAMLResponse should be a valid xml', 400); + } + + var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); + self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { + if (err) return self.fail(err, err.status || 400); + + var verified = function (err, user, info) { + if (err) return self.error(err); + if (!user) return self.fail(info); + + info = info || {}; + if (state) { info.state = state; } + self.success(user, info); + }; - self._verify(profile, verified); - }); + self._verify(profile, verified); + }); + }; + + verifyState(req.body.RelayState, loaded); } else { // Initiate new samlp authentication request - if (self.options.protocolBinding === 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST') { - self._samlp.getSamlRequestForm(authzParams, function (err, form) { - if (err) return self.error(err); - var res = req.res; - res.set('Content-Type', 'text/html'); - res.send(form); - }); - } - else { - self._samlp.getSamlRequestUrl(authzParams, function (err, url) { - if (err) return self.error(err); - self.redirect(url); - }); + var authzParams = self.authorizationParams(opts); + var sendRequestToIdp = function () { + if (self.options.protocolBinding === 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST') { + self._samlp.getSamlRequestForm(authzParams, function (err, form) { + if (err) return self.error(err); + var res = req.res; + res.set('Content-Type', 'text/html'); + res.send(form); + }); + } + else { + self._samlp.getSamlRequestUrl(authzParams, function (err, url) { + if (err) return self.error(err); + self.redirect(url); + }); + } + }; + + var state = opts.RelayState; + if (state) { + authzParams.RelayState = state; + sendRequestToIdp(); + } else { + var stored = function (err, state) { + if (err) { return self.error(err); } + if (state) { authzParams.RelayState = state; } + sendRequestToIdp(); + }; + + storeState(stored); } } } diff --git a/package.json b/package.json index 0c6d2f4..c2d266f 100644 --- a/package.json +++ b/package.json @@ -3,7 +3,7 @@ "version": "2.10.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { - "test": "mocha --reporter spec" + "test": "mocha --reporter spec --recursive" }, "author": { "name": "Matias Woloski", @@ -23,6 +23,7 @@ "ejs": "~0.8.3", "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", + "uid2": "0.0.x", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", "xml-encryption": "~0.7.4", "xml2js": "0.1.x", @@ -31,7 +32,8 @@ "xtend": "~2.0.3" }, "devDependencies": { - "chai": "~1.5.0", + "chai": "2.x.x", + "chai-passport-strategy": "1.x.x", "express": "~3.1.0", "mocha": "~1.8.1", "request": "~2.14.0", diff --git a/test/state/samlp.state.custom.tests.js b/test/state/samlp.state.custom.tests.js new file mode 100644 index 0000000..30e19cf --- /dev/null +++ b/test/state/samlp.state.custom.tests.js @@ -0,0 +1,354 @@ +var chai = require('chai'); +var expect = require('chai').expect; +var passport = require('chai-passport-strategy'); +var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; + +chai.use(passport); + +describe('samlp - using custom session state store', function() { + + var SAMLResponse = 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfOGU4ZGM1ZjY5YTk4Y2M0YzFmZjM0MjdlNWNlMzQ2MDZmZDY3MmY5MWU2IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1Ij4NCiAgPHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+DQogIDwvc2FtbHA6U3RhdHVzPg0KICA8c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiBJRD0iX2Q3MWEzYThlOWZjYzQ1YzllOWQyNDhlZjcwNDkzOTNmYzhmMDRlNWY3NSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+X2NlM2QyOTQ4YjRjZjIwMTQ2ZGVlMGEwYjNkZDZmNjliNmNmODZmNjJkNzwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiIFJlY2lwaWVudD0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL2luZGV4LnBocD9hY3MiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcnM8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmV4YW1wbGVyb2xlMTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+'; + + describe('that accepts meta argument', function() { + function CustomStore() {} + + CustomStore.prototype.store = function(req, meta, cb) { + if (req.url === '/error') { return cb(new Error('something went wrong storing state')); } + if (req.url === '/exception') { throw new Error('something went horribly wrong storing state'); } + + if (req.url !== '/me') { return cb(new Error('incorrect req argument')); } + if (meta.identityProviderUrl !== 'http://www.example.com/samlp') { return cb(new Error('incorrect meta.identityProviderUrl argument')); } + + req.customStoreStoreCalled = req.customStoreStoreCalled ? req.customStoreStoreCalled++ : 1; + return cb(null, 'foos7473'); + }; + + CustomStore.prototype.verify = function(req, state, meta, cb) { + if (req.url === '/error') { return cb(new Error('something went wrong verifying state')); } + if (req.url === '/exception') { throw new Error('something went horribly wrong verifying state'); } + + if (state !== 'foos7473') { return cb(new Error('incorrect state argument')); } + if (meta.identityProviderUrl !== 'http://www.example.com/samlp') { return cb(new Error('incorrect meta.identityProviderUrl argument')); } + + req.customStoreVerifyCalled = req.customStoreVerifyCalled ? req.customStoreVerifyCalled++ : 1; + return cb(null, true); + }; + + describe('issuing authorization request', function() { + var strategy = new Strategy({ + protocol: 'samlp', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: 'http://www.example.com/samlp', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function() {}); + + describe('that redirects to service provider', function() { + var request, url; + + before(function (done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.url = '/me'; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + expect(url).to.have.string('http://www.example.com/samlp?SAMLRequest='); + expect(url).to.have.string('&RelayState=foos7473'); + }); + + it('should serialize state using custom store', function() { + expect(request.customStoreStoreCalled).to.equal(1); + }); + }); + + describe('that errors due to custom store supplying error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + req.url = '/error'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went wrong storing state'); + }); + }); + + describe('that errors due to custom store throwing error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + req.url = '/exception'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went horribly wrong storing state'); + }); + }); + }); + + describe('processing response to authorization request', function() { + var strategy = new Strategy({ + protocol: 'samlp', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: 'http://www.example.com/samlp', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._samlp.validateSamlResponse = function(token, done) { + expect(token).to.be.an.object; + done(null, { id: '1234' }); + }; + + describe('that was approved', function() { + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/login'; + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should verify state using custom store', function() { + expect(request.customStoreVerifyCalled).to.equal(1); + }); + }); + + describe('that errors due to custom store supplying error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/error'; + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went wrong verifying state'); + }); + }); + + describe('that errors due to custom store throwing error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/exception'; + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went horribly wrong verifying state'); + }); + }); + }); + }); + + describe('that accepts meta argument and supplies state', function() { + function CustomStore() {} + + CustomStore.prototype.verify = function(req, state, meta, cb) { + req.customStoreVerifyCalled = req.customStoreVerifyCalled ? req.customStoreVerifyCalled++ : 1; + return cb(null, true, { returnTo: 'http://www.example.com/' }); + }; + + describe('processing response to authorization request', function() { + + describe('that was approved without info', function() { + var strategy = new Strategy({ + protocol: 'samlp', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: 'http://www.example.com/samlp', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function (profile, done) { + return done(null, profile); + }); + + strategy._samlp.validateSamlResponse = function(token, done) { + expect(token).to.be.an.object; + done(null, { id: '1234' }); + }; + + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/login'; + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info with state', function() { + expect(info).to.be.an.object; + expect(Object.keys(info)).to.have.length(1); + expect(info.state).to.be.an.object; + expect(info.state.returnTo).to.equal('http://www.example.com/'); + }); + + it('should verify state using custom store', function() { + expect(request.customStoreVerifyCalled).to.equal(1); + }); + }); + + describe('that was approved with info', function() { + var strategy = new Strategy({ + protocol: 'samlp', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: 'http://www.example.com/samlp', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._samlp.validateSamlResponse = function(token, done) { + expect(token).to.be.an.object; + done(null, { id: '1234' }); + }; + + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/login'; + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info with state', function() { + expect(info).to.be.an.object; + expect(Object.keys(info)).to.have.length(2); + expect(info.message).to.equal('Hello'); + expect(info.state).to.be.an.object; + expect(info.state.returnTo).to.equal('http://www.example.com/'); + }); + + it('should verify state using custom store', function() { + expect(request.customStoreVerifyCalled).to.equal(1); + }); + }); + }); + }); +}); diff --git a/test/state/samlp.state.session.tests.js b/test/state/samlp.state.session.tests.js new file mode 100644 index 0000000..d2d6b32 --- /dev/null +++ b/test/state/samlp.state.session.tests.js @@ -0,0 +1,432 @@ +var chai = require('chai'); +var uri = require('url'); +var expect = require('chai').expect; +var passport = require('chai-passport-strategy'); +var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; + +chai.use(passport); + +describe('samlp - using default session state store', function() { + + var SAMLResponse = 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfOGU4ZGM1ZjY5YTk4Y2M0YzFmZjM0MjdlNWNlMzQ2MDZmZDY3MmY5MWU2IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoiIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1Ij4NCiAgPHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+DQogIDwvc2FtbHA6U3RhdHVzPg0KICA8c2FtbDpBc3NlcnRpb24geG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiBJRD0iX2Q3MWEzYThlOWZjYzQ1YzllOWQyNDhlZjcwNDkzOTNmYzhmMDRlNWY3NSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+X2NlM2QyOTQ4YjRjZjIwMTQ2ZGVlMGEwYjNkZDZmNjliNmNmODZmNjJkNzwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiIFJlY2lwaWVudD0iaHR0cDovL3NwLmV4YW1wbGUuY29tL2RlbW8xL2luZGV4LnBocD9hY3MiIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fNGZlZTNiMDQ2Mzk1YzRlNzUxMDExZTk3Zjg5MDBiNTI3M2Q1NjY4NSIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTQtMDctMTdUMDE6MDE6MThaIiBOb3RPbk9yQWZ0ZXI9IjIwMjQtMDEtMThUMDY6MjE6NDhaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3YWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcnM8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmV4YW1wbGVyb2xlMTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+'; + + describe('without session key option', function() { + + describe('issuing authorization request', function() { + var strategy = new Strategy({ + protocol: 'samlp', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: 'http://www.example.com/samlp', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + state: true + }, function () {}); + + describe('that redirects to service provider', function() { + var request, url; + + before(function(done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.session = {}; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + var u = uri.parse(url, true); + expect(u.query.RelayState).to.have.length(24); + }); + + it('should save state in session', function() { + var u = uri.parse(url, true); + expect(request.session['samlp:www.example.com'].state).to.have.length(24); + expect(request.session['samlp:www.example.com'].state).to.equal(u.query.RelayState); + }); + }); + + describe('that redirects to service provider with other data in session', function() { + var request, url; + + before(function(done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.session = {}; + req.session['samlp:www.example.com'] = {}; + req.session['samlp:www.example.com'].foo = 'bar'; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + var u = uri.parse(url, true); + expect(u.query.RelayState).to.have.length(24); + }); + + it('should save state in session', function() { + var u = uri.parse(url, true); + + expect(request.session['samlp:www.example.com'].state).to.have.length(24); + expect(request.session['samlp:www.example.com'].state).to.equal(u.query.RelayState); + }); + + it('should preserve other data in session', function() { + expect(request.session['samlp:www.example.com'].foo).to.equal('bar'); + }); + }); + + describe('that errors due to lack of session support in app', function() { + var request, err; + + before(function(done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('Authentication requires session support when using state. Did you forget to use express-session middleware?'); + }); + }); + }); + + describe('processing response to authorization request', function() { + var strategy = new Strategy({ + protocol: 'samlp', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: 'http://www.example.com/samlp', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + state: true + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._samlp.validateSamlResponse = function(token, done) { + expect(token).to.be.an.object; + done(null, { id: '1234' }); + }; + + describe('that was approved', function() { + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + req.session['samlp:www.example.com'] = {}; + req.session['samlp:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should remove state from session', function() { + expect(request.session['samlp:www.example.com']).to.be.undefined; + }); + }); + + describe('that was approved with other data in the session', function() { + var request, user, info; + + before(function(done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + req.session['samlp:www.example.com'] = {}; + req.session['samlp:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.session['samlp:www.example.com'].foo = 'bar'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should preserve other data from session', function() { + expect(request.session['samlp:www.example.com'].state).to.be.undefined; + expect(request.session['samlp:www.example.com'].foo).to.equal('bar'); + }); + }); + + describe('that fails due to state being invalid', function() { + var request, info, status; + + before(function (done) { + chai.passport.use(strategy) + .fail(function(i, s) { + info = i; + status = s; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'DkbychwKu8kBaJoLE5yeR5NK-WRONG'; + req.method = 'POST'; + req.session = {}; + req.session['samlp:www.example.com'] = {}; + req.session['samlp:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + }) + .authenticate({}); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Invalid authorization request state.'); + }); + + it('should supply status', function() { + expect(status).to.equal(403); + }); + + it('should remove state from session', function() { + expect(request.session['samlp:www.example.com']).to.be.undefined; + }); + }); + + describe('that fails due to provider-specific state not found in session', function() { + var request, info, status; + + before(function(done) { + chai.passport.use(strategy) + .fail(function(i, s) { + info = i; + status = s; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + }) + .authenticate({}); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Unable to verify authorization request state.'); + }); + + it('should supply status', function() { + expect(status).to.equal(403); + }); + }); + + describe('that fails due to provider-specific state lacking state value', function() { + var request, info, status; + + before(function(done) { + chai.passport.use(strategy) + .fail(function(i, s) { + info = i; + status = s; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + req.session['samlp:www.example.com'] = {}; + }) + .authenticate({}); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Unable to verify authorization request state.'); + }); + + it('should supply status', function() { + expect(status).to.equal(403); + }); + }); + + describe('that errors due to lack of session support in app', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('Authentication requires session support when using state. Did you forget to use express-session middleware?'); + }); + }); + }); + }); + + describe('with session key option', function() { + var strategy = new Strategy({ + protocol: 'samlp', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: 'http://www.example.com/samlp', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + state: true, + sessionKey: 'samlp:example' + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._samlp.validateSamlResponse = function(token, done) { + expect(token).to.be.an.object; + done(null, { id: '1234' }); + }; + + describe('issuing authorization request', function() { + + describe('that redirects to service provider', function() { + var request, url; + + before(function (done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.session = {}; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + var u = uri.parse(url, true); + expect(u.query.RelayState).to.have.length(24); + }); + + it('should save state in session', function() { + var u = uri.parse(url, true); + + expect(request.session['samlp:example'].state).to.have.length(24); + expect(request.session['samlp:example'].state).to.equal(u.query.RelayState); + }); + }); + }); + + describe('processing response to authorization request', function() { + + describe('that was approved', function() { + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.SAMLResponse = SAMLResponse; + req.body.RelayState = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + req.session['samlp:example'] = {}; + req.session['samlp:example']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should remove state from session', function() { + expect(request.session['samlp:example']).to.be.undefined; + }); + }); + }); + }); +}); diff --git a/test/state/wsfed.state.custom.tests.js b/test/state/wsfed.state.custom.tests.js new file mode 100644 index 0000000..f5f14c2 --- /dev/null +++ b/test/state/wsfed.state.custom.tests.js @@ -0,0 +1,362 @@ +var chai = require('chai'); +var expect = require('chai').expect; +var passport = require('chai-passport-strategy'); +var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; + +chai.use(passport); + +describe('wsfed - using custom session state store', function() { + + describe('that accepts meta argument', function() { + function CustomStore() {} + + CustomStore.prototype.store = function(req, meta, cb) { + if (req.url === '/error') { return cb(new Error('something went wrong storing state')); } + if (req.url === '/exception') { throw new Error('something went horribly wrong storing state'); } + + if (req.url !== '/me') { return cb(new Error('incorrect req argument')); } + if (meta.identityProviderUrl !== 'http://www.example.com/login') { return cb(new Error('incorrect meta.identityProviderUrl argument')); } + + req.customStoreStoreCalled = req.customStoreStoreCalled ? req.customStoreStoreCalled++ : 1; + return cb(null, 'foos7473'); + }; + + CustomStore.prototype.verify = function(req, state, meta, cb) { + if (req.url === '/error') { return cb(new Error('something went wrong verifying state')); } + if (req.url === '/exception') { throw new Error('something went horribly wrong verifying state'); } + + if (state !== 'foos7473') { return cb(new Error('incorrect state argument')); } + if (meta.identityProviderUrl !== 'http://www.example.com/login') { return cb(new Error('incorrect meta.identityProviderUrl argument')); } + + req.customStoreVerifyCalled = req.customStoreVerifyCalled ? req.customStoreVerifyCalled++ : 1; + return cb(null, true); + }; + + describe('issuing authorization request', function() { + var strategy = new Strategy({ + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://www.example.com/login', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function() {}); + + describe('that redirects to service provider', function() { + var request, url; + + before(function (done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.url = '/me'; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + expect(url).to.equal('http://www.example.com/login?wctx=foos7473&wtrealm=urn%3Afixture-test&wa=wsignin1.0&whr='); + }); + + it('should serialize state using custom store', function() { + expect(request.customStoreStoreCalled).to.equal(1); + }); + }); + + describe('that errors due to custom store supplying error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + req.url = '/error'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went wrong storing state'); + }); + }); + + describe('that errors due to custom store throwing error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + req.url = '/exception'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went horribly wrong storing state'); + }); + }); + }); + + describe('processing response to authorization request', function() { + var strategy = new Strategy({ + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://www.example.com/login', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._wsfed.extractToken = function(req) { + expect(req).to.be.an.object; + return '...'; + }; + + strategy._saml.validateSamlAssertion = function(token, done) { + expect(token).to.equal('...'); + done(null, { id: '1234' }); + }; + + describe('that was approved', function() { + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/login'; + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should verify state using custom store', function() { + expect(request.customStoreVerifyCalled).to.equal(1); + }); + }); + + describe('that errors due to custom store supplying error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/error'; + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went wrong verifying state'); + }); + }); + + describe('that errors due to custom store throwing error', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/exception'; + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('something went horribly wrong verifying state'); + }); + }); + }); + }); + + describe('that accepts meta argument and supplies state', function() { + function CustomStore() {} + + CustomStore.prototype.verify = function(req, state, meta, cb) { + req.customStoreVerifyCalled = req.customStoreVerifyCalled ? req.customStoreVerifyCalled++ : 1; + return cb(null, true, { returnTo: 'http://www.example.com/' }); + }; + + describe('processing response to authorization request', function() { + + describe('that was approved without info', function() { + var strategy = new Strategy({ + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://www.example.com/login', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function (profile, done) { + return done(null, profile); + }); + + strategy._wsfed.extractToken = function(req) { + expect(req).to.be.an.object; + return '...'; + }; + + strategy._saml.validateSamlAssertion = function(token, done) { + expect(token).to.equal('...'); + done(null, { id: '1234' }); + }; + + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/login'; + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info with state', function() { + expect(info).to.be.an.object; + expect(Object.keys(info)).to.have.length(1); + expect(info.state).to.be.an.object; + expect(info.state.returnTo).to.equal('http://www.example.com/'); + }); + + it('should verify state using custom store', function() { + expect(request.customStoreVerifyCalled).to.equal(1); + }); + }); + + describe('that was approved with info', function() { + var strategy = new Strategy({ + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://www.example.com/login', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + store: new CustomStore() + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._wsfed.extractToken = function(req) { + expect(req).to.be.an.object; + return '...'; + }; + + strategy._saml.validateSamlAssertion = function(token, done) { + expect(token).to.equal('...'); + done(null, { id: '1234' }); + }; + + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.url = '/login'; + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'foos7473'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info with state', function() { + expect(info).to.be.an.object; + expect(Object.keys(info)).to.have.length(2); + expect(info.message).to.equal('Hello'); + expect(info.state).to.be.an.object; + expect(info.state.returnTo).to.equal('http://www.example.com/'); + }); + + it('should verify state using custom store', function() { + expect(request.customStoreVerifyCalled).to.equal(1); + }); + }); + }); + }); +}); diff --git a/test/state/wsfed.state.session.tests.js b/test/state/wsfed.state.session.tests.js new file mode 100644 index 0000000..288912a --- /dev/null +++ b/test/state/wsfed.state.session.tests.js @@ -0,0 +1,437 @@ +var chai = require('chai'); +var uri = require('url'); +var expect = require('chai').expect; +var passport = require('chai-passport-strategy'); +var Strategy = require('../../lib/passport-wsfed-saml2').Strategy; + +chai.use(passport); + +describe('wsfed - using default session state store', function() { + + describe('without session key option', function() { + + describe('issuing authorization request', function() { + var strategy = new Strategy({ + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://www.example.com/login', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + state: true + }, function () {}); + + describe('that redirects to service provider', function() { + var request, url; + + before(function(done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.session = {}; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + var u = uri.parse(url, true); + expect(u.query.wctx).to.have.length(24); + }); + + it('should save state in session', function() { + var u = uri.parse(url, true); + expect(request.session['wsfed:www.example.com'].state).to.have.length(24); + expect(request.session['wsfed:www.example.com'].state).to.equal(u.query.wctx); + }); + }); + + describe('that redirects to service provider with other data in session', function() { + var request, url; + + before(function(done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.session = {}; + req.session['wsfed:www.example.com'] = {}; + req.session['wsfed:www.example.com'].foo = 'bar'; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + var u = uri.parse(url, true); + expect(u.query.wctx).to.have.length(24); + }); + + it('should save state in session', function() { + var u = uri.parse(url, true); + + expect(request.session['wsfed:www.example.com'].state).to.have.length(24); + expect(request.session['wsfed:www.example.com'].state).to.equal(u.query.wctx); + }); + + it('should preserve other data in session', function() { + expect(request.session['wsfed:www.example.com'].foo).to.equal('bar'); + }); + }); + + describe('that errors due to lack of session support in app', function() { + var request, err; + + before(function(done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('Authentication requires session support when using state. Did you forget to use express-session middleware?'); + }); + }); + }); + + describe('processing response to authorization request', function() { + var strategy = new Strategy({ + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://www.example.com/login', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + state: true + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._wsfed.extractToken = function(req) { + expect(req).to.be.an.object; + return '...'; + }; + + strategy._saml.validateSamlAssertion = function(token, done) { + expect(token).to.equal('...'); + done(null, { id: '1234' }); + }; + + describe('that was approved', function() { + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + req.session['wsfed:www.example.com'] = {}; + req.session['wsfed:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should remove state from session', function() { + expect(request.session['wsfed:www.example.com']).to.be.undefined; + }); + }); + + describe('that was approved with other data in the session', function() { + var request, user, info; + + before(function(done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + req.session['wsfed:www.example.com'] = {}; + req.session['wsfed:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.session['wsfed:www.example.com'].foo = 'bar'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should preserve other data from session', function() { + expect(request.session['wsfed:www.example.com'].state).to.be.undefined; + expect(request.session['wsfed:www.example.com'].foo).to.equal('bar'); + }); + }); + + describe('that fails due to state being invalid', function() { + var request, info, status; + + before(function (done) { + chai.passport.use(strategy) + .fail(function(i, s) { + info = i; + status = s; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'DkbychwKu8kBaJoLE5yeR5NK-WRONG'; + req.method = 'POST'; + req.session = {}; + req.session['wsfed:www.example.com'] = {}; + req.session['wsfed:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + }) + .authenticate({}); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Invalid authorization request state.'); + }); + + it('should supply status', function() { + expect(status).to.equal(403); + }); + + it('should remove state from session', function() { + expect(request.session['wsfed:www.example.com']).to.be.undefined; + }); + }); + + describe('that fails due to provider-specific state not found in session', function() { + var request, info, status; + + before(function(done) { + chai.passport.use(strategy) + .fail(function(i, s) { + info = i; + status = s; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'DkbychwKu8kBaJoLE5yeR5NK-WRONG'; + req.method = 'POST'; + req.session = {}; + }) + .authenticate({}); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Unable to verify authorization request state.'); + }); + + it('should supply status', function() { + expect(status).to.equal(403); + }); + }); + + describe('that fails due to provider-specific state lacking state value', function() { + var request, info, status; + + before(function(done) { + chai.passport.use(strategy) + .fail(function(i, s) { + info = i; + status = s; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'DkbychwKu8kBaJoLE5yeR5NK-WRONG'; + req.method = 'POST'; + req.session = {}; + req.session['wsfed:www.example.com'] = {}; + }) + .authenticate({}); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Unable to verify authorization request state.'); + }); + + it('should supply status', function() { + expect(status).to.equal(403); + }); + }); + + describe('that errors due to lack of session support in app', function() { + var request, err; + + before(function (done) { + chai.passport.use(strategy) + .error(function(e) { + err = e; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'DkbychwKu8kBaJoLE5yeR5NK-WRONG'; + req.method = 'POST'; + }) + .authenticate({}); + }); + + it('should error', function() { + expect(err).to.be.an.instanceof(Error); + expect(err.message).to.equal('Authentication requires session support when using state. Did you forget to use express-session middleware?'); + }); + }); + }); + }); + + describe('with session key option', function() { + var strategy = new Strategy({ + path: '/callback', + realm: 'urn:fixture-test', + identityProviderUrl: 'http://www.example.com/login', + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + state: true, + sessionKey: 'wsfed:example' + }, + function (profile, done) { + return done(null, profile, { message: 'Hello' }); + }); + + strategy._wsfed.extractToken = function(req) { + expect(req).to.be.an.object; + return '...'; + }; + + strategy._saml.validateSamlAssertion = function(token, done) { + expect(token).to.equal('...'); + done(null, { id: '1234' }); + }; + + describe('issuing authorization request', function() { + + describe('that redirects to service provider', function() { + var request, url; + + before(function (done) { + chai.passport.use(strategy) + .redirect(function(u) { + url = u; + done(); + }) + .req(function(req) { + request = req; + req.session = {}; + }) + .authenticate({}); + }); + + it('should be redirected', function() { + var u = uri.parse(url, true); + expect(u.query.wctx).to.have.length(24); + }); + + it('should save state in session', function() { + var u = uri.parse(url, true); + + expect(request.session['wsfed:example'].state).to.have.length(24); + expect(request.session['wsfed:example'].state).to.equal(u.query.wctx); + }); + }); + }); + + describe('processing response to authorization request', function() { + + describe('that was approved', function() { + var request, user, info; + + before(function (done) { + chai.passport.use(strategy) + .success(function(u, i) { + user = u; + info = i; + done(); + }) + .req(function(req) { + request = req; + + req.body = {}; + req.body.wresult = '...'; + req.body.wctx = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.method = 'POST'; + req.session = {}; + req.session['wsfed:example'] = {}; + req.session['wsfed:example']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + }) + .authenticate({}); + }); + + it('should supply user', function() { + expect(user).to.be.an.object; + expect(user.id).to.equal('1234'); + }); + + it('should supply info', function() { + expect(info).to.be.an.object; + expect(info.message).to.equal('Hello'); + }); + + it('should remove state from session', function() { + expect(request.session['wsfed:example']).to.be.undefined; + }); + }); + }); + }); +}); From 045f32c9ff481541eb74a40910d2f12465839450 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Tue, 5 Apr 2016 18:28:43 -0300 Subject: [PATCH 151/203] 2.11.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index c2d266f..a128521 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.10.0", + "version": "2.11.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From 86bc854597217c30b769f6ce39ff4a253b908645 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 6 Apr 2016 11:35:57 -0300 Subject: [PATCH 152/203] avoid uncaught from signature generation --- lib/passport-wsfed-saml2/samlp.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index c3a4ece..dcd1552 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -152,7 +152,13 @@ Samlp.prototype = { } params.SigAlg = algorithms.signature[signatureAlgorithm]; - params.Signature = sign(querystring.stringify(params), options.signingKey.key, signatureAlgorithm); + + try { + params.Signature = sign(querystring.stringify(params), options.signingKey.key, signatureAlgorithm); + } + catch(e) { + return callback(e); + } } callback(null, params); From 6a7405e9ab00cd544712cdfc4491e47e171cd402 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Wed, 6 Apr 2016 11:36:05 -0300 Subject: [PATCH 153/203] 2.11.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index a128521..01e8832 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.0", + "version": "2.11.1", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From 351dd2d88c4f78c630925213e4789cc304df33a3 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Fri, 29 Apr 2016 19:04:40 -0300 Subject: [PATCH 154/203] xml-encryption 0.8.0 --- lib/passport-wsfed-saml2/samlp.js | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index dcd1552..01248d6 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -232,7 +232,7 @@ Samlp.prototype = { return done(new Error('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.')); } - return xmlenc.decrypt(encryptedData.toString(), { key: this.options.decryptionKey, autopadding: this.options.autopadding }, done); + return xmlenc.decrypt(encryptedData, { key: this.options.decryptionKey, autopadding: this.options.autopadding }, done); } } diff --git a/package.json b/package.json index 01e8832..fb1baa0 100644 --- a/package.json +++ b/package.json @@ -25,7 +25,7 @@ "passport-strategy": "^1.0.0", "uid2": "0.0.x", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", - "xml-encryption": "~0.7.4", + "xml-encryption": "~0.8.0", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", "xpath": "0.0.5", From ee84a3789af2e1fd5bcf7fdda64536ea6e164ea3 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Fri, 29 Apr 2016 19:09:42 -0300 Subject: [PATCH 155/203] 2.11.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index fb1baa0..e6c0615 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.1", + "version": "2.11.2", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From f4b5a16f861ae2df321e0b0f3a167ed90c3efd9d Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 26 May 2016 02:03:29 -0300 Subject: [PATCH 156/203] return HTTP 400 is saml response contains multiple Assertion/EncryptedAssertion elements --- lib/passport-wsfed-saml2/samlp.js | 15 ++++++++++++--- test/interop.tests.js | 21 +++++++++++++++++++++ 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 01248d6..49164a2 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -217,12 +217,21 @@ Samlp.prototype = { callback(null, assertion); }; - var token = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion')[0]; + var assertions = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'Assertion'); + if (assertions.length > 1) { + return done(new Error('A SAMLResponse can contains only one Assertion element.')); + } + + var token = assertions[0]; if (!token) { // check for encrypted assertion - var encryptedToken = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'EncryptedAssertion')[0]; - if (encryptedToken) { + var encryptedAssertion = samlpResponse.getElementsByTagNameNS(saml2Namespace, 'EncryptedAssertion'); + if (encryptedAssertion.length > 1) { + return done(new Error('A SAMLResponse can contains only one EncryptedAssertion element.')); + } + var encryptedToken = encryptedAssertion[0]; + if (encryptedToken) { var encryptedData = encryptedToken.getElementsByTagNameNS('http://www.w3.org/2001/04/xmlenc#', 'EncryptedData')[0]; if (!encryptedData) { return done(new Error('EncryptedData not found.')); diff --git a/test/interop.tests.js b/test/interop.tests.js index 0f69d4d..e6a03ff 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -125,6 +125,27 @@ describe('interop', function () { }); }); + describe('signed assertion trying a wrapping attack', function () { + var r; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-okta', + form: { SAMLResponse: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hdXRoMDE0NS5hdXRoMC5jb20iIElEPSJpZDgxMzIzMDI4Njg0Njg5ODM4OTkzODY4MzEiIElzc3VlSW5zdGFudD0iMjAxMy0wOC0wM1QyMTo1NDo0My45NDJaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vd3d3Lm9rdGEuY29tL2s3eGtocTBqVUhVUFFBWFZNVUFOPC9zYW1sMjpJc3N1ZXI+PHNhbWwycDpTdGF0dXMgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJFVklMIiBJc3N1ZUluc3RhbnQ9IjIwMTMtMDgtMDNUMjE6NTQ6NDMuOTQyWiIgVmVyc2lvbj0iMi4wIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vd3d3Lm9rdGEuY29tL2s3eGtocTBqVUhVUFFBWFZNVUFOPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNpZDgxMzIzMDI4Njg1NDEwMTk3NTU0MTQxMjEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InhzIi8+PC9kczpUcmFuc2Zvcm0+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT40Ryt1dmVLbXRpQjFFa1k1QkF0KzhsbVF3akk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9ImlkODEzMjMwMjg2ODU0MTAxOTc1NTQxNDEyMSIgSXNzdWVJbnN0YW50PSIyMDEzLTA4LTAzVDIxOjU0OjQzLjk0MloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3d3dy5va3RhLmNvbS9rN3hraHEwalVIVVBRQVhWTVVBTjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQ4MTMyMzAyODY4NTQxMDE5NzU1NDE0MTIxIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhMaXN0PSJ4cyIvPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+NEcrdXZlS210aUIxRWtZNUJBdCs4bG1Rd2pJPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5RODBONkZVcjUvWVB0RXpSbFJkTW9QdStiTDBNc3NEeE5VWSt5eHlremJteHNJMGpvRW8vU21tU2dackRZUUtUbGxaay9LZnpCTVBGVjl5Qkg0K21FekNVNUUzeHVDczk5alp6YWZjdzNLOG1JTVRKeTFZSHhqYzM1OWQyN1I1czUwaTl3NVBIc3VzUm92ME1qUUlvSjJ3NDhHeTRFbllhVmlxQlIzVVZFcUU9PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDblRDQ0FnYWdBd0lCQWdJR0FVQkdIeHFVTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUdSTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHDQpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVDQpNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RWpBUUJnTlZCQU1NQ1d0c2RXZHNZV0p6TWpFY01Cb0dDU3FHU0liM0RRRUpBUllODQphVzVtYjBCdmEzUmhMbU52YlRBZUZ3MHhNekE0TURNeU1UTTRNemhhRncwME16QTRNRE15TVRNNU16aGFNSUdSTVFzd0NRWURWUVFHDQpFd0pWVXpFVE1CRUdBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFDQpDZ3dFVDJ0MFlURVVNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RWpBUUJnTlZCQU1NQ1d0c2RXZHNZV0p6TWpFY01Cb0dDU3FHDQpTSWIzRFFFSkFSWU5hVzVtYjBCdmEzUmhMbU52YlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXNDQjlsSlRIDQpxQjd2ZE01amVPSDg0Y1c4dTdJSFl2NC9PQVBZRjBmQlllOXdKeTE5Q2d5TTJPZ2lBU3VBY0l0bkg0V2hCK2lvMlpQd2IvWHdsN1V1DQo0WG1VRTBsK21rQ051RFlwNWZYVFp4d3Y1RzZIdmtBeFhaaW8wUms5VDBWRVRDcm94Z3BTNUx4US9vL293alIzOVM3eHpSbmo2ZGRYDQozTXEyeUdqS3lCY0NBd0VBQVRBTkJna3Foa2lHOXcwQkFRVUZBQU9CZ1FBQjFxR05xU05MTFdxK1JQY1Ard09hV3RZcEpPSjgvTWJaDQpFV1dtOS9LS0hLWE02Si96Z1VVSVhaaTNjek1lTytZK1gxNFBSOGxHWG9BSGY1Yi9KYXZHOUZtRnZSbjRmR2E0NVZUVm8yR2ZNTjZLDQphSUtGMG9iZUNiWWkvUVVmOEIrWGkxdFNJSm0xVkNLUkU3bm5saVEvVHpHYU51bGdXZXlUYlZrRzAvWDhMUT09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwyOlN1YmplY3QgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPmFkbWluQGtsdWdsYWJzLmNvbTwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMy0wOC0wM1QyMTo1OTo0My45NDJaIiBSZWNpcGllbnQ9Imh0dHBzOi8vYXV0aDAxNDUuYXV0aDAuY29tIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDgtMDNUMjE6NDk6NDMuOTQzWiIgTm90T25PckFmdGVyPSIyMDEzLTA4LTAzVDIxOjU5OjQzLjk0MloiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9hdXRoMDE0NS5hdXRoMC5jb208L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM+PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wOC0wM1QyMTo1NDo0My45NDJaIiBTZXNzaW9uSW5kZXg9ImlkMTM3NTU2Njg4Mzk0Mi42ODc2MTA0MzciIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50IHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDI6QXR0cmlidXRlIE5hbWU9IlJvbGUiIE5hbWVGb3JtYXQ9Im5zIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5BZG1pbjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PGRzOlNpZ25hdHVyZVZhbHVlPlE4ME42RlVyNS9ZUHRFelJsUmRNb1B1K2JMME1zc0R4TlVZK3l4eWt6Ym14c0kwam9Fby9TbW1TZ1pyRFlRS1RsbFprL0tmekJNUEZWOXlCSDQrbUV6Q1U1RTN4dUNzOTlqWnphZmN3M0s4bUlNVEp5MVlIeGpjMzU5ZDI3UjVzNTBpOXc1UEhzdXNSb3YwTWpRSW9KMnc0OEd5NEVuWWFWaXFCUjNVVkVxRT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNuVENDQWdhZ0F3SUJBZ0lHQVVCR0h4cVVNQTBHQ1NxR1NJYjNEUUVCQlFVQU1JR1JNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUcNCkExVUVDQXdLUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnd3TlUyRnVJRVp5WVc1amFYTmpiekVOTUFzR0ExVUVDZ3dFVDJ0MFlURVUNCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFakFRQmdOVkJBTU1DV3RzZFdkc1lXSnpNakVjTUJvR0NTcUdTSWIzRFFFSkFSWU4NCmFXNW1iMEJ2YTNSaExtTnZiVEFlRncweE16QTRNRE15TVRNNE16aGFGdzAwTXpBNE1ETXlNVE01TXpoYU1JR1JNUXN3Q1FZRFZRUUcNCkV3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnd3TlUyRnVJRVp5WVc1amFYTmpiekVOTUFzR0ExVUUNCkNnd0VUMnQwWVRFVU1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFakFRQmdOVkJBTU1DV3RzZFdkc1lXSnpNakVjTUJvR0NTcUcNClNJYjNEUUVKQVJZTmFXNW1iMEJ2YTNSaExtTnZiVENCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBc0NCOWxKVEgNCnFCN3ZkTTVqZU9IODRjVzh1N0lIWXY0L09BUFlGMGZCWWU5d0p5MTlDZ3lNMk9naUFTdUFjSXRuSDRXaEIraW8yWlB3Yi9Yd2w3VXUNCjRYbVVFMGwrbWtDTnVEWXA1ZlhUWnh3djVHNkh2a0F4WFppbzBSazlUMFZFVENyb3hncFM1THhRL28vb3dqUjM5Uzd4elJuajZkZFgNCjNNcTJ5R2pLeUJjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUFCMXFHTnFTTkxMV3ErUlBjUCt3T2FXdFlwSk9KOC9NYloNCkVXV205L0tLSEtYTTZKL3pnVVVJWFppM2N6TWVPK1krWDE0UFI4bEdYb0FIZjViL0phdkc5Rm1GdlJuNGZHYTQ1VlRWbzJHZk1ONksNCmFJS0Ywb2JlQ2JZaS9RVWY4QitYaTF0U0lKbTFWQ0tSRTdubmxpUS9UekdhTnVsZ1dleVRiVmtHMC9YOExRPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdCB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+YWRtaW5Aa2x1Z2xhYnMuY29tPC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA4LTAzVDIxOjU5OjQzLjk0MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9hdXRoMDE0NS5hdXRoMC5jb20iLz48L3NhbWwyOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMy0wOC0wM1QyMTo0OTo0My45NDNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDgtMDNUMjE6NTk6NDMuOTQyWiIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5odHRwczovL2F1dGgwMTQ1LmF1dGgwLmNvbTwvc2FtbDI6QXVkaWVuY2U+PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEzLTA4LTAzVDIxOjU0OjQzLjk0MloiIFNlc3Npb25JbmRleD0iaWQxMzc1NTY2ODgzOTQyLjY4NzYxMDQzNyIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iUm9sZSIgTmFtZUZvcm1hdD0ibnMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkVWSUw8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==' } + }, function(err, response) { + if(err) return done(err); + r = response; + done(); + }); + }); + + it('should return error', function(){ + expect(r.statusCode) + .to.equal(400); + }); + }); + describe('signed assertion from ping', function () { var r, bod; From 3cff7469b9312bef4cc6a40a29ab850ce0cd62c2 Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Thu, 26 May 2016 02:03:34 -0300 Subject: [PATCH 157/203] 2.11.3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e6c0615..53c56c4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.2", + "version": "2.11.3", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From a690f2c9fc1832bd1ad616407a165ff7284d4def Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 29 May 2016 12:23:08 -0300 Subject: [PATCH 158/203] expose samlp --- lib/passport-wsfed-saml2/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/index.js b/lib/passport-wsfed-saml2/index.js index e5dbb33..23b52fd 100644 --- a/lib/passport-wsfed-saml2/index.js +++ b/lib/passport-wsfed-saml2/index.js @@ -1,2 +1,3 @@ exports.Strategy = require('./strategy'); -exports.SAML = require('./saml'); \ No newline at end of file +exports.SAML = require('./saml'); +exports.samlp = require('./samlp'); \ No newline at end of file From 3d06bda64cd6824494be7e740efd01e0fd788c95 Mon Sep 17 00:00:00 2001 From: Matias Woloski Date: Sun, 29 May 2016 12:23:11 -0300 Subject: [PATCH 159/203] 2.11.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 53c56c4..9bdb9ed 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.3", + "version": "2.11.4", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From d10c28fd00fc22d1767e9b71121c0cc1ced63401 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Wed, 1 Jun 2016 18:00:14 -0300 Subject: [PATCH 160/203] Updated validateSamlResponse to check status:Success before extracting the assertion Updated error message Updated message and details Added comment --- lib/passport-wsfed-saml2/samlp.js | 31 ++++---- test/samlp.tests.js | 120 +++++++++++++++++++++++++++++- 2 files changed, 135 insertions(+), 16 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 49164a2..98deff1 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -17,6 +17,11 @@ var BINDINGS = { HTTP_REDIRECT: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' }; +var ErrorMessages = { + 'urn:oasis:names:tc:SAML:2.0:status:Responder' : 'The request could not be performed due to an error on the part of the SAML responder or SAML authority', + 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed' : 'The responding provider was unable to successfully authenticate the principal' +}; + var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; @@ -150,7 +155,7 @@ Samlp.prototype = { // if there is no RelayState value, the parameter should be omitted from the signature computation delete params.RelayState; } - + params.SigAlg = algorithms.signature[signatureAlgorithm]; try { @@ -259,13 +264,10 @@ Samlp.prototype = { var statusCodeXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusCode']", samlResponse)[0]; if (statusCodeXml) { status.code = statusCodeXml.getAttribute('Value'); - - if (status.code === 'urn:oasis:names:tc:SAML:2.0:status:Responder') { - // status sub code - var statusSubCodeXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusCode']/*[local-name(.)='StatusCode']", samlResponse)[0]; - if (statusSubCodeXml) { - status.subCode = statusSubCodeXml.getAttribute('Value'); - } + // status sub code + var statusSubCodeXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusCode']/*[local-name(.)='StatusCode']", samlResponse)[0]; + if (statusSubCodeXml) { + status.subCode = statusSubCodeXml.getAttribute('Value'); } } @@ -293,18 +295,21 @@ Samlp.prototype = { // check status var samlStatus = self.getSamlStatus(samlResponse); - var isAuthnFailed = samlStatus.code === 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed' || - samlStatus.subCode === 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed'; - if (isAuthnFailed) { - return callback (new AuthenticationFailedError(samlStatus.message, samlStatus.detail)); + // Check if this is a known error + var errorMessage = ErrorMessages[samlStatus.subCode] || + ErrorMessages[samlStatus.code]; + + if (errorMessage) { + // Return auth failed with the actual message or a friendly message + return callback (new AuthenticationFailedError(samlStatus.message || errorMessage, samlStatus.detail)); } // extract assertion self.extractAssertion(samlResponse, function (err, assertion) { if (err) { return callback(err); } if (!assertion) { - return callback(new Error('saml response does not contain an Assertion element')); + return callback(new Error('saml response does not contain an Assertion element (Status: ' + samlStatus.code + ')')); } var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; diff --git a/test/samlp.tests.js b/test/samlp.tests.js index d72440e..b4ce3fb 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -441,7 +441,7 @@ describe('samlp (functional tests)', function () { var signedSAMLRequest = querystring.SAMLRequest; var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); - + expect(utils.isValidSignature(signedRequest, signingCert)) .to.equal(true); done(); @@ -489,7 +489,7 @@ describe('samlp (functional tests)', function () { var verifier = crypto.createVerify('RSA-SHA256'); verifier.update(require('querystring').stringify(signedParams)); var verified = verifier.verify(signingCert, querystring.Signature, 'base64'); - + expect(verified).to.equal(true); done(); }); @@ -565,6 +565,120 @@ describe('samlp (unit tests)', function () { }); + describe('validateSamlResponse', function(){ + var samlpResponseWithStatusResponder = 'urn:fixture-test'; + var samlpResponseWithStatusResponderWithMessage = 'urn:fixture-testspecific error message'; + var samlpResponseWithStatusResponderAndAuthnFailed = 'urn:fixture-test'; + var samlpResponseWithStatusResponderAndAuthnFailedWithMessage = 'urn:fixture-testspecific error message'; + var samlpResponseWithStatusNotMappedStatus = 'urn:fixture-test'; + + it('shuold return error for AuthnFailed status with generic message', function(done){ + var samlp = new Samlp({}); + samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailed, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('The responding provider was unable to successfully authenticate the principal'); + done(); + }); + }); + + it('shuold return error for AuthnFailed status with specific message', function(done){ + var samlp = new Samlp({}); + samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailedWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('specific error message'); + done(); + }); + }); + + it('should return error for Responder status with generic message', function(done){ + var samlp = new Samlp({}); + samlp.validateSamlResponse(samlpResponseWithStatusResponder, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('The request could not be performed due to an error on the part of the SAML responder or SAML authority'); + done(); + }); + }); + + it('should return error for Responder status with specific message', function(done){ + var samlp = new Samlp({}); + samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('specific error message'); + done(); + }); + }); + + it('should return \'saml response does not contain an Assertion element\' error', function(done){ + var samlp = new Samlp({}); + samlp.validateSamlResponse(samlpResponseWithStatusNotMappedStatus, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('Error'); + expect(err.message).to.equal('saml response does not contain an Assertion element (Status: urn:oasis:names:tc:SAML:2.0:status:Success)'); + done(); + }); + }); + }); + + describe('getSamlStatus', function(){ + before(function(){ + this.samlp = new Samlp({}); + }); + + it('should get result without subcode', function(){ + var samlpResponse = 'urn:fixture-testsome messagesome details'; + + var result = this.samlp.getSamlStatus(samlpResponse); + + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.be.undefined; + expect(result.message).to.equal('some message'); + expect(result.detail).to.equal('some details'); + }); + + it('should get result with sucode', function(){ + var samlpResponse = 'urn:fixture-testsome messagesome details'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); + expect(result.message).to.equal('some message'); + expect(result.detail).to.equal('some details'); + }); + + it('should get result without details', function(){ + var samlpResponse = 'urn:fixture-testsome message'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); + expect(result.message).to.equal('some message'); + expect(result.detail).to.be.undefined; + }); + + it('should get result without message', function(){ + var samlpResponse = 'urn:fixture-test'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); + expect(result.message).be.undefined; + expect(result.detail).be.undefined; + }); + + it('should get result with status code only', function(){ + var samlpResponse = 'urn:fixture-test'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).be.undefined; + expect(result.message).be.undefined; + expect(result.detail).be.undefined; + }); + }); }); function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { @@ -590,4 +704,4 @@ function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { callback(null, { response: response, body: body }); }); }); -} \ No newline at end of file +} From 7af3a160e8743b81086ad25c75b8b292e7ac50de Mon Sep 17 00:00:00 2001 From: siacomuzzi Date: Fri, 3 Jun 2016 15:36:02 -0300 Subject: [PATCH 161/203] 2.11.5 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9bdb9ed..d0ee907 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.4", + "version": "2.11.5", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From 3ad0121af2c69d67125832823c60662ddd7905b6 Mon Sep 17 00:00:00 2001 From: Eduardo Diaz Date: Wed, 8 Jun 2016 19:42:55 +0200 Subject: [PATCH 162/203] Add fault check support --- lib/passport-wsfed-saml2/strategy.js | 42 +++++++--------- lib/passport-wsfed-saml2/wsfederation.js | 53 ++++++++++++++++++++ test/interop.tests.js | 63 ++++++++++++++++++++++++ test/soap-fault-no-info.xml | 5 ++ test/soap-fault.xml | 16 ++++++ 5 files changed, 156 insertions(+), 23 deletions(-) create mode 100644 test/soap-fault-no-info.xml create mode 100644 test/soap-fault.xml diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index ffd7972..feb710d 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -56,36 +56,32 @@ util.inherits(WsFedSaml2Strategy, Strategy); WsFedSaml2Strategy.prototype._authenticate_saml = function (req, state) { var self = this; - if (req.body.wresult.indexOf('<') === -1) { - return self.fail('wresult should be a valid xml', 400); - } - - var token = self._wsfed.extractToken(req); - if (!token) { - return self.fail('missing RequestedSecurityToken element', 400); - } - - self._saml.validateSamlAssertion(token, function (err, profile) { - if (err) { - return self.error(err); - } - - var verified = function (err, user, info) { + self._wsfed.retrieveToken(req, function(err, token) { + if (err) return self.fail(err, err.status || 400); + + self._saml.validateSamlAssertion(token, function (err, profile) { if (err) { return self.error(err); } - if (!user) { - return self.fail(info); - } + var verified = function (err, user, info) { + if (err) { + return self.error(err); + } - info = info || {}; - if (state) { info.state = state; } - self.success(user, info); - }; + if (!user) { + return self.fail(info); + } - self._verify(profile, verified); + info = info || {}; + if (state) { info.state = state; } + self.success(user, info); + }; + + self._verify(profile, verified); + }); }); + }; WsFedSaml2Strategy.prototype._authenticate_jwt = function (req, state) { diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index 54f28ad..cbe3455 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -1,6 +1,9 @@ var xmldom = require('xmldom'); var xtend = require('xtend'); var qs = require('querystring'); +var xpath = require('xpath'); + +var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); var WsFederation = module.exports = function WsFederation (realm, homerealm, identityProviderUrl, wreply) { this.realm = realm; @@ -39,6 +42,56 @@ WsFederation.prototype = { } return token && token.firstChild; + }, + + retrieveToken: function(req, callback) { + if (req.body.wresult.indexOf('<') === -1) { + return callback(new Error('wresult should be a valid xml')); + } + + var fault = this.extractFault(req); + if (fault) { + return callback(new AuthenticationFailedError(fault.message, fault.detail)); + } + + var token = this.extractToken(req); + if (!token) { + return callback(new Error('missing RequestedSecurityToken element')); + } + + callback(null, token); + }, + + extractFault: function(req) { + var fault = {}; + var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']); + + var isFault = xpath.select("//*[local-name(.)='Fault']", doc)[0]; + if (!isFault) { + return null; + } + + var codeXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Code']/*[local-name(.)='Value']", doc)[0]; + if (codeXml) { + fault.code = codeXml.textContent; + } + + var subCodeXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Code']/*[local-name(.)='Subcode']/*[local-name(.)='Value']", doc)[0]; + if (subCodeXml) { + fault.subCode = subCodeXml.textContent; + } + + var messageXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Reason']/*[local-name(.)='Text']", doc)[0]; + if (messageXml) { + fault.message = messageXml.textContent; + } + + var detailXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Detail']", doc)[0]; + if (detailXml) { + fault.detail = detailXml.textContent; + } + + return fault; } }; diff --git a/test/interop.tests.js b/test/interop.tests.js index e6a03ff..9ca0c03 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -345,6 +345,69 @@ describe('interop', function () { s._authenticate_saml(req); }); + + describe('wsfed fault response received', function () { + + var options = { + thumbprint: '1756139e2a046d3c494daae6bbfa542a4367bc60' + }; + + it('should extract soap fault with detail, code, subCode and message', function (done) { + var s = new wsfed(options, function(u,done){ + done('It should fail'); + }); + + s.fail = function(e,code){ + expect(e).to.have.property('name','AuthenticationFailedError'); + expect(e).to.have.property('message','User cancelled'); + expect(e).to.have.property('detail','USER_CANCEL'); + done(); + }; + + s.error = function(e){ + done(e); + }; + + var response = fs.readFileSync(__dirname + '/soap-fault.xml').toString(); + + var req = { + body : { + wresult: response + } + }; + + s._authenticate_saml(req); + }); + + it('should extract soap fault with empty information when there is no information (extreme, it should not happen)', function (done) { + var s = new wsfed(options, function(u,done){ + done('It should fail'); + }); + + s.fail = function(e,code){ + expect(e).to.have.property('name','AuthenticationFailedError'); + expect(e).to.have.property('message','Authentication Failed'); + expect(e).to.have.property('detail').and.to.be.undefined; + done(); + }; + + s.error = function(e){ + done(e); + }; + + var response = fs.readFileSync(__dirname + '/soap-fault-no-info.xml').toString(); + + var req = { + body : { + wresult: response + } + }; + + s._authenticate_saml(req); + }); + }); + + // it('should validate a saml response from datapower', function (done) { // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; // //var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage'; diff --git a/test/soap-fault-no-info.xml b/test/soap-fault-no-info.xml new file mode 100644 index 0000000..efccabf --- /dev/null +++ b/test/soap-fault-no-info.xml @@ -0,0 +1,5 @@ + + + + + \ No newline at end of file diff --git a/test/soap-fault.xml b/test/soap-fault.xml new file mode 100644 index 0000000..e9780da --- /dev/null +++ b/test/soap-fault.xml @@ -0,0 +1,16 @@ + + + + + env:Sender + + fed:BadRequest + + + + User cancelled + + USER_CANCEL + + + \ No newline at end of file From 3df306059e6649528db3b224c4b8283ca004625a Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Wed, 8 Jun 2016 16:44:31 -0300 Subject: [PATCH 163/203] 2.11.6 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d0ee907..988e53a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.5", + "version": "2.11.6", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From b3baf63b07dd95925267f9102b1144aa76461d6c Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Wed, 13 Jul 2016 19:32:16 -0300 Subject: [PATCH 164/203] Updated passport library to add extra validation to the SAMLResponse and SAMLAssertion elements. We've also reduced the timmings --- lib/passport-wsfed-saml2/saml.js | 43 +++++++++++++++++++++---- lib/passport-wsfed-saml2/samlp.js | 30 ++++++++++++++--- lib/passport-wsfed-saml2/strategy.js | 11 +++++-- lib/passport-wsfed-saml2/utils.js | 9 ++++++ test/fixture/samlp-server.js | 17 +++++++--- test/interop.tests.js | 21 +++++++++--- test/saml11.tests.js | 6 ++-- test/saml20.tests.js | 24 +++++++++++--- test/samlp.tests.js | 21 ++++++++---- test/state/samlp.state.custom.tests.js | 15 +++++++-- test/state/samlp.state.session.tests.js | 13 ++++++-- test/state/wsfed.state.custom.tests.js | 15 +++++++-- test/state/wsfed.state.session.tests.js | 13 ++++++-- 13 files changed, 192 insertions(+), 46 deletions(-) create mode 100644 lib/passport-wsfed-saml2/utils.js diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index af229ed..66690ab 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -21,6 +21,7 @@ var SAML = function (options) { this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true; this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; + this.options.checkRecipient = (typeof this.options.checkRecipient !== 'undefined') ? this.options.checkRecipient : true; }; SAML.prototype.certToPEM = function (cert) { @@ -111,10 +112,10 @@ SAML.prototype.validateExpiration = function (samlAssertion, version) { if (!conditions || conditions.length === 0) return false; var notBefore = new Date(conditions[0].getAttribute('NotBefore')); - notBefore = notBefore.setMinutes(notBefore.getMinutes() - 10); // 10 minutes clock skew + notBefore = notBefore.setMinutes(notBefore.getMinutes() - 5); // 5 minutes clock skew var notOnOrAfter = new Date(conditions[0].getAttribute('NotOnOrAfter')); - notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 10); // 10 minutes clock skew + notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 5); // 5 minutes clock skew var now = new Date(); if (now < notBefore || now > notOnOrAfter) @@ -135,6 +136,20 @@ SAML.prototype.validateAudience = function (samlAssertion, realm, version) { return cryptiles.fixedTimeComparison(audience[0].textContent, realm); }; +SAML.prototype.validateRecipient = function(samlAssertion, recipientUrl){ + var subjectConfirmationData = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='SubjectConfirmation']/*[local-name(.)='SubjectConfirmationData']", samlAssertion); + + // subjectConfirmationData is optional in the spec. Only validate if the assertion contains a recipient + if (!subjectConfirmationData || subjectConfirmationData.length === 0){ + return true; + } + + var recipient = subjectConfirmationData[0].getAttribute('Recipient'); + + // Used start with to ignore posible query strings + return !recipient || recipient === recipientUrl; +}; + SAML.prototype.parseAttributes = function (samlAssertion, version) { function getAttributes(samlAssertion) { var attributes = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Attribute']", samlAssertion); @@ -243,8 +258,12 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { return profile; }; -SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { +SAML.prototype.validateSamlAssertion = function (samlAssertion, options, callback) { var self = this; + if (typeof options === 'function'){ + callback = options; + options = null; + } if (typeof samlAssertion === 'string') samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion); @@ -255,16 +274,23 @@ SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) { if (err) return callback(err); - self.parseAssertion(samlAssertion, callback); + self.parseAssertion(samlAssertion, options, callback); }); }; -SAML.prototype.parseAssertion = function(samlAssertion, callback) { +SAML.prototype.parseAssertion = function(samlAssertion, options, callback) { + if (typeof options === 'function'){ + callback = options; + options = null; + } + var self = this; + self.options.recipientUrl = self.options.recipientUrl || (options && options.recipientUrl); + if (self.options.extractSAMLAssertion){ samlAssertion = self.options.extractSAMLAssertion(samlAssertion); } - + if (typeof samlAssertion === 'string') samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion).documentElement; @@ -284,10 +310,13 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { } if (self.options.checkAudience && !self.validateAudience(samlAssertion, self.options.realm, version)) { - console.log('Audience is invalid. Configured: ' + self.options.realm); return callback(new Error('Audience is invalid. Configured: ' + self.options.realm), null); } + if (self.options.checkRecipient && !self.validateRecipient(samlAssertion, self.options.recipientUrl)) { + return callback(new Error('Recipient is invalid. Configured: ' + self.options.recipientUrl), null); + } + var profile = self.parseAttributes(samlAssertion, version); var issuer; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 98deff1..e0ad9e4 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -33,6 +33,7 @@ var Samlp = module.exports = function Samlp (options, saml) { this.options.deflate = true; } + this.options.checkDestination = (typeof this.options.checkDestination !== 'undefined') ? this.options.checkDestination : true; this._saml = saml; }; @@ -286,13 +287,32 @@ Samlp.prototype = { return status; }, - validateSamlResponse: function (samlResponse, callback) { + validateSamlResponse: function (samlResponse, options, callback) { + if (typeof options === 'function'){ + callback = options; + options = {}; + } + + options = options || {} + var self = this; if (typeof samlResponse === 'string') { samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); } + // Check that the saml Resopnse actually has a Response object + var responseXML = xpath.select("//*[local-name(.)='Response']", samlResponse)[0]; + if (!responseXML){ + return callback(new Error('XML is not a valid saml response')); + } + + var destination = responseXML.getAttribute('Destination'); + // Check that the destintation attributes matches the recipientUrl (if configured) + if (self.options && self.options.checkDestination && destination && destination !== options.recipientUrl){ + return callback(new Error('Destination endpoint ' + destination + ' did not match ' + options.recipientUrl)); + } + // check status var samlStatus = self.getSamlStatus(samlResponse); @@ -344,14 +364,14 @@ Samlp.prototype = { if (err) { return callback(err); } if (!isAssertionSigned) { - return self._saml.parseAssertion(assertion, callback); + return self._saml.parseAssertion(assertion, options, callback); } - return self._saml.validateSamlAssertion(assertion, callback); + return self._saml.validateSamlAssertion(assertion, options, callback); }); } else if (isAssertionSigned) { - return self._saml.validateSamlAssertion(assertion, callback); + return self._saml.validateSamlAssertion(assertion, options, callback); } }); } @@ -369,4 +389,4 @@ function generateUniqueID() { function generateInstant() { var date = new Date(); return date.getUTCFullYear() + '-' + ('0' + (date.getUTCMonth()+1)).slice(-2) + '-' + ('0' + date.getUTCDate()).slice(-2) + 'T' + ('0' + date.getUTCHours()).slice(-2) + ":" + ('0' + date.getUTCMinutes()).slice(-2) + ":" + ('0' + date.getUTCSeconds()).slice(-2) + "Z"; -} +} \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index feb710d..59b9511 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -6,6 +6,7 @@ var Strategy = require('passport-strategy'); var saml = require('./saml'); var wsfed = require('./wsfederation'); var samlp = require('./samlp'); +var getReqUrl = require('./utils').getReqUrl; var NullStateStore = require('./state/null'); var SessionStateStore = require('./state/session'); @@ -59,7 +60,9 @@ WsFedSaml2Strategy.prototype._authenticate_saml = function (req, state) { self._wsfed.retrieveToken(req, function(err, token) { if (err) return self.fail(err, err.status || 400); - self._saml.validateSamlAssertion(token, function (err, profile) { + var expected_recipient = self.options.recipientUrl || getReqUrl(req); + + self._saml.validateSamlAssertion(token, { recipientUrl: expected_recipient }, function (err, profile) { if (err) { return self.error(err); } @@ -114,6 +117,7 @@ WsFedSaml2Strategy.prototype._authenticate_jwt = function (req, state) { WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { var self = this; var protocol = opts.protocol || this.options.protocol; + var meta = { identityProviderUrl: this.options.identityProviderUrl }; @@ -195,8 +199,10 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { return self.fail('SAMLResponse should be a valid xml', 400); } + var expected_recipient = self.options.recipientUrl || getReqUrl(req); + var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); - self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { + self._samlp.validateSamlResponse(samlResponseDom, { recipientUrl: expected_recipient }, function (err, profile) { if (err) return self.fail(err, err.status || 400); var verified = function (err, user, info) { @@ -216,6 +222,7 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { } else { // Initiate new samlp authentication request var authzParams = self.authorizationParams(opts); + var sendRequestToIdp = function () { if (self.options.protocolBinding === 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST') { self._samlp.getSamlRequestForm(authzParams, function (err, form) { diff --git a/lib/passport-wsfed-saml2/utils.js b/lib/passport-wsfed-saml2/utils.js new file mode 100644 index 0000000..2a4920c --- /dev/null +++ b/lib/passport-wsfed-saml2/utils.js @@ -0,0 +1,9 @@ + + +function getReqUrl(req){ + return req.protocol + '://' + req.get('host') + req.originalUrl; +} + +module.exports = { + getReqUrl : getReqUrl +} \ No newline at end of file diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 9229857..281e008 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -15,7 +15,8 @@ passport.use('samlp', new Strategy({ path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, - thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'] + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + recipientUrl: 'https://auth0-dev-ed.my.salesforce.com' }, function(profile, done) { return done(null, profile); }) @@ -95,7 +96,8 @@ passport.use('samlp-signedresponse', new Strategy( path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, - thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'] + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + recipientUrl: 'https://auth0-dev-ed.my.salesforce.com' }, function(profile, done) { return done(null, profile); @@ -107,7 +109,8 @@ passport.use('samlp-signedresponse-invalidcert', new Strategy( path: '/callback', realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, - thumbprints: ['11111111111111111a5b93a43572eb2376fed309'] + thumbprints: ['11111111111111111a5b93a43572eb2376fed309'], + recipientUrl: 'https://auth0-dev-ed.my.salesforce.com' }, function(profile, done) { return done(null, profile); @@ -131,6 +134,7 @@ passport.use('samlp-signedresponse-signedassertion', new Strategy( path: '/callback', realm: 'urn:auth0:login-dev3', thumbprints: ['C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB'], + recipientUrl: 'https://login-dev3.auth0.com:3000/login/callback', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { @@ -143,6 +147,7 @@ passport.use('samlp-ping', new Strategy( path: '/callback', realm: 'urn:auth0:login-dev3', thumbprints: ['44340220770a348444be34970939cff8a2d74f08'], + recipientUrl: 'https://login-dev3.auth0.com:3000/login/callback', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { @@ -155,6 +160,7 @@ passport.use('samlp-okta', new Strategy( path: '/callback', realm: 'https://auth0145.auth0.com', thumbprints: ['a0c7dbb790e3476d3c5dd236f9f2060b1fd6e253'], + recipientUrl: 'https://auth0145.auth0.com', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { @@ -181,6 +187,7 @@ passport.use('samlp-with-utf8', new Strategy( path: '/callback', thumbprints: ['42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031'], decryptionKey: fs.readFileSync(path.join(__dirname, '../test-decryption.key')), + recipientUrl: 'https://fmi-test.auth0.com/login/callback', checkExpiration: false, // we are using a precomputed assertion generated from a sample idp feide checkAudience: false }, @@ -253,7 +260,8 @@ module.exports.start = function(options, callback){ issuer: 'urn:fixture-test', getPostURL: getPostURL, cert: credentials.cert, - key: credentials.key + key: credentials.key, + recipient: 'https://auth0-dev-ed.my.salesforce.com' }, module.exports.options))(req, res); }); @@ -269,7 +277,6 @@ module.exports.start = function(options, callback){ app.post('/callback', function(req, res, next) { - //console.log('req.body'); next(); }, passport.authenticate('samlp', { protocol: 'samlp' }), diff --git a/test/interop.tests.js b/test/interop.tests.js index 9ca0c03..6e0785a 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -31,7 +31,7 @@ describe('interop', function () { var saml_passport = new SamlPassport({thumbprints: ['3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0'], realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', - checkExpiration: false}); // dont check expiration since we are harcoding the token + checkExpiration: false, checkRecipient: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { if (err) return done(err); assert.ok(profile); @@ -180,7 +180,8 @@ describe('interop', function () { var saml_passport = new SamlPassport({thumbprints: ['C9018666E764613366C20BC011D947B39BED236B'], realm: 'urn:auth0:auth0', - checkExpiration: false}); // dont check expiration since we are harcoding the token + checkExpiration: false, + checkRecipient: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { if (err) return done(err); assert.ok(profile); @@ -194,6 +195,7 @@ describe('interop', function () { var saml_passport = new SamlPassport({thumbprints: ['42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031'], realm: 'urn:auth0:fmi-test', + recipientUrl: 'https://fmi-test.auth0.com/login/callback', checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { if (err) return done(err); @@ -208,6 +210,7 @@ describe('interop', function () { var samlOptions = { thumbprints: ['6BF18C1DE16D8A6C7B79A0997EF96DEEF90CBF98'], realm: 'urn:auth0:pwctest:SiteminderDev', + recipientUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev', checkExpiration: false }; @@ -218,7 +221,8 @@ describe('interop', function () { var sm = new SamlPassport(samlOptions); var sp = new samlp(samlpOptions, sm); - sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + samlOptions, function(err, profile){ if (err) return done(err); assert.ok(profile); @@ -233,6 +237,7 @@ describe('interop', function () { var samlOptions = { thumbprints: ['bc58b95946e0c96b464b561b02d740aeae88875a'], realm: 'urn:auth0:netformx:emc-test', + recipientUrl: 'https://fmi-test.auth0.com/login/callback', checkExpiration: false }; @@ -261,6 +266,7 @@ describe('interop', function () { cert: cert, thumbprints: ['bc58b95946e0c96b464b561b02d740aeae88875a'], realm: 'urn:auth0:netformx:emc-test', + recipientUrl: 'https://netformx.auth0.com/login/callback?connection=emc-test', checkExpiration: false }; @@ -272,6 +278,7 @@ describe('interop', function () { var sp = new samlp(samlpOptions, sm); sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + samlOptions, function(err, profile){ if (err) return done(err); assert.ok(profile); @@ -295,11 +302,13 @@ describe('interop', function () { cert: cert, thumbprints: ['ANOTHER_THUMB'], realm: 'urn:auth0:wptest:PepeSAML', - checkExpiration: false + recipientUrl: 'https://fmi-test.auth0.com/login/callback', + checkExpiration: false, }; var samlpOptions = { cert: cert, + checkDestination: false }; var sm = new SamlPassport(samlOptions); @@ -319,6 +328,7 @@ describe('interop', function () { var options = { thumbprint: '1756139e2a046d3c494daae6bbfa542a4367bc60', checkExpiration: false, + checkRecipient: false, realm: 'http://dev.pms.baxon.net/' }; @@ -338,6 +348,9 @@ describe('interop', function () { var response = fs.readFileSync(__dirname + '/wsfed-result-wstrust13.xml').toString(); var req = { + get: function(){ + return '' + }, body : { wresult: response } diff --git a/test/saml11.tests.js b/test/saml11.tests.js index 19a8b12..25b909a 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -29,7 +29,7 @@ describe('saml 1.1 assertion', function () { var signedAssertion = saml11.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient : false}); saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { assert.ok(profile); @@ -62,7 +62,7 @@ describe('saml 1.1 assertion', function () { var signedAssertion = saml11.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient : false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { if (error) return done(error); @@ -80,6 +80,7 @@ describe('saml 1.1 assertion', function () { var saml_passport = new SamlPassport({thumbprints: ['3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe0'], realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', + checkRecipient: false, checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { @@ -94,6 +95,7 @@ describe('saml 1.1 assertion', function () { var saml_passport = new SamlPassport({thumbprints: ['3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe1', '3464c5bdd2be7f2b6112e2f08e9c0024e33d9fe2'], // WRONG thumbprints realm: 'spn:408153f4-5960-43dc-9d4f-6b717d772c8d', + checkRecipient: false, checkExpiration: false}); // dont check expiration since we are harcoding the token var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { assert.equal('Invalid thumbprint (configured: 3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE1, 3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE2. calculated: 3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE0)', error.message); diff --git a/test/saml20.tests.js b/test/saml20.tests.js index ab8fe0c..df03716 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -29,7 +29,7 @@ describe('saml 2.0 assertion', function () { var signedAssertion = saml20.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { if (err) return done(err); @@ -52,7 +52,7 @@ describe('saml 2.0 assertion', function () { var signedAssertion = saml20.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { if (err) return done(err); @@ -71,7 +71,7 @@ describe('saml 2.0 assertion', function () { var signedAssertion = saml20.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { should.exists(err); err.message.should.equal('assertion has expired.'); @@ -82,6 +82,21 @@ describe('saml 2.0 assertion', function () { }); + it('should validate recipent', function (done) { + options.lifetimeInSeconds = 600; + options.recipient = 'foo'; + var signedAssertion = saml20.create(options); + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', recipientUrl: 'bar'}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + should.exists(err); + err.message.should.equal('Recipient is invalid. Configured: bar'); + should.not.exists(profile); + done(); + }); + + }); + it('should extract authentication context from assertion as a user prop', function (done) { var options = { @@ -101,7 +116,7 @@ describe('saml 2.0 assertion', function () { var signedAssertion = saml20.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { if (error) return done(error); @@ -113,6 +128,5 @@ describe('saml 2.0 assertion', function () { }); - }); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index b4ce3fb..cdf8d5d 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -573,7 +573,7 @@ describe('samlp (unit tests)', function () { var samlpResponseWithStatusNotMappedStatus = 'urn:fixture-test'; it('shuold return error for AuthnFailed status with generic message', function(done){ - var samlp = new Samlp({}); + var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailed, function (err) { expect(err).to.be.ok; expect(err.name).to.equals('AuthenticationFailedError'); @@ -583,7 +583,7 @@ describe('samlp (unit tests)', function () { }); it('shuold return error for AuthnFailed status with specific message', function(done){ - var samlp = new Samlp({}); + var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailedWithMessage, function (err) { expect(err).to.be.ok; expect(err.name).to.equals('AuthenticationFailedError'); @@ -593,7 +593,7 @@ describe('samlp (unit tests)', function () { }); it('should return error for Responder status with generic message', function(done){ - var samlp = new Samlp({}); + var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusResponder, function (err) { expect(err).to.be.ok; expect(err.name).to.equals('AuthenticationFailedError'); @@ -603,7 +603,7 @@ describe('samlp (unit tests)', function () { }); it('should return error for Responder status with specific message', function(done){ - var samlp = new Samlp({}); + var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { expect(err).to.be.ok; expect(err.name).to.equals('AuthenticationFailedError'); @@ -613,7 +613,7 @@ describe('samlp (unit tests)', function () { }); it('should return \'saml response does not contain an Assertion element\' error', function(done){ - var samlp = new Samlp({}); + var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusNotMappedStatus, function (err) { expect(err).to.be.ok; expect(err.name).to.equals('Error'); @@ -621,6 +621,16 @@ describe('samlp (unit tests)', function () { done(); }); }); + + it('should return error for Destination does not match', function(done){ + var samlp = new Samlp({ }); + samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, { recipientUrl: 'invalid' }, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('Error'); + expect(err.message).to.equal('Destination endpoint https://auth0-dev-ed.my.salesforce.com did not match invalid'); + done(); + }); + }); }); describe('getSamlStatus', function(){ @@ -694,7 +704,6 @@ function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { var SAMLResponse = $('input[name="SAMLResponse"]').attr('value'); var RelayState = $('input[name="RelayState"]').attr('value'); - request.post({ jar: request.jar(), uri: callbackEndpoint, diff --git a/test/state/samlp.state.custom.tests.js b/test/state/samlp.state.custom.tests.js index 30e19cf..789821d 100644 --- a/test/state/samlp.state.custom.tests.js +++ b/test/state/samlp.state.custom.tests.js @@ -129,7 +129,7 @@ describe('samlp - using custom session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, done) { + strategy._samlp.validateSamlResponse = function(token, options, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -152,6 +152,9 @@ describe('samlp - using custom session state store', function() { req.body.SAMLResponse = SAMLResponse; req.body.RelayState = 'foos7473'; req.method = 'POST'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -250,7 +253,7 @@ describe('samlp - using custom session state store', function() { return done(null, profile); }); - strategy._samlp.validateSamlResponse = function(token, done) { + strategy._samlp.validateSamlResponse = function(token, options, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -272,6 +275,9 @@ describe('samlp - using custom session state store', function() { req.body.SAMLResponse = SAMLResponse; req.body.RelayState = 'foos7473'; req.method = 'POST'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -306,7 +312,7 @@ describe('samlp - using custom session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, done) { + strategy._samlp.validateSamlResponse = function(token, options, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -328,6 +334,9 @@ describe('samlp - using custom session state store', function() { req.body.SAMLResponse = SAMLResponse; req.body.RelayState = 'foos7473'; req.method = 'POST'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); diff --git a/test/state/samlp.state.session.tests.js b/test/state/samlp.state.session.tests.js index d2d6b32..81f086a 100644 --- a/test/state/samlp.state.session.tests.js +++ b/test/state/samlp.state.session.tests.js @@ -120,7 +120,7 @@ describe('samlp - using default session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, done) { + strategy._samlp.validateSamlResponse = function(token, options, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -145,6 +145,9 @@ describe('samlp - using default session state store', function() { req.session = {}; req.session['samlp:www.example.com'] = {}; req.session['samlp:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -185,6 +188,9 @@ describe('samlp - using default session state store', function() { req.session['samlp:www.example.com'] = {}; req.session['samlp:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; req.session['samlp:www.example.com'].foo = 'bar'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -350,7 +356,7 @@ describe('samlp - using default session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, done) { + strategy._samlp.validateSamlResponse = function(token, options, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -409,6 +415,9 @@ describe('samlp - using default session state store', function() { req.session = {}; req.session['samlp:example'] = {}; req.session['samlp:example']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); diff --git a/test/state/wsfed.state.custom.tests.js b/test/state/wsfed.state.custom.tests.js index f5f14c2..aa0af7a 100644 --- a/test/state/wsfed.state.custom.tests.js +++ b/test/state/wsfed.state.custom.tests.js @@ -129,7 +129,7 @@ describe('wsfed - using custom session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, done) { + strategy._saml.validateSamlAssertion = function(token, options, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -152,6 +152,9 @@ describe('wsfed - using custom session state store', function() { req.body.wresult = '...'; req.body.wctx = 'foos7473'; req.method = 'POST'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -254,7 +257,7 @@ describe('wsfed - using custom session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, done) { + strategy._saml.validateSamlAssertion = function(token, options, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -276,6 +279,9 @@ describe('wsfed - using custom session state store', function() { req.body.wresult = '...'; req.body.wctx = 'foos7473'; req.method = 'POST'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -314,7 +320,7 @@ describe('wsfed - using custom session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, done) { + strategy._saml.validateSamlAssertion = function(token, options, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -336,6 +342,9 @@ describe('wsfed - using custom session state store', function() { req.body.wresult = '...'; req.body.wctx = 'foos7473'; req.method = 'POST'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); diff --git a/test/state/wsfed.state.session.tests.js b/test/state/wsfed.state.session.tests.js index 288912a..0355f88 100644 --- a/test/state/wsfed.state.session.tests.js +++ b/test/state/wsfed.state.session.tests.js @@ -121,7 +121,7 @@ describe('wsfed - using default session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, done) { + strategy._saml.validateSamlAssertion = function(token, options, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -146,6 +146,9 @@ describe('wsfed - using default session state store', function() { req.session = {}; req.session['wsfed:www.example.com'] = {}; req.session['wsfed:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -186,6 +189,9 @@ describe('wsfed - using default session state store', function() { req.session['wsfed:www.example.com'] = {}; req.session['wsfed:www.example.com']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; req.session['wsfed:www.example.com'].foo = 'bar'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); @@ -355,7 +361,7 @@ describe('wsfed - using default session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, done) { + strategy._saml.validateSamlAssertion = function(token, options, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -414,6 +420,9 @@ describe('wsfed - using default session state store', function() { req.session = {}; req.session['wsfed:example'] = {}; req.session['wsfed:example']['state'] = 'DkbychwKu8kBaJoLE5yeR5NK'; + req.get = function(){ + return ''; + }; }) .authenticate({}); }); From 30611db480758247a8c027a32a3f93e8ff4330ec Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Wed, 13 Jul 2016 19:32:16 -0300 Subject: [PATCH 165/203] Updated passport library to add extra validation to the SAMLResponse and SAMLAssertion elements. We've also reduced the timmings --- lib/passport-wsfed-saml2/saml.js | 1 + lib/passport-wsfed-saml2/samlp.js | 1 + 2 files changed, 2 insertions(+) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 66690ab..1b11025 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -5,6 +5,7 @@ var crypto = require('crypto'); var xmldom = require('xmldom'); var xpath = require('xpath'); var cryptiles = require('cryptiles'); +var winston = require('winston'); var ELEMENT_NODE = 1; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index e0ad9e4..4d264fe 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -9,6 +9,7 @@ var crypto = require('crypto'); var querystring = require('querystring'); var SignedXml = require('xml-crypto').SignedXml; var templates = require('./templates'); +var winston = require('winston'); var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); From e5deb30d8716219aa5b8bb8e76de4ce31bcd70fe Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Mon, 25 Jul 2016 10:54:34 -0300 Subject: [PATCH 166/203] Added winston logging --- lib/passport-wsfed-saml2/saml.js | 14 ++++++++++++-- lib/passport-wsfed-saml2/samlp.js | 7 ++++++- package.json | 1 + 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 1b11025..1d71338 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -148,7 +148,17 @@ SAML.prototype.validateRecipient = function(samlAssertion, recipientUrl){ var recipient = subjectConfirmationData[0].getAttribute('Recipient'); // Used start with to ignore posible query strings - return !recipient || recipient === recipientUrl; + var valid = !recipient || recipient === recipientUrl; + + if (!valid){ + winston.info('Recipient validation error', { + log_type: 'recipient_validation_error', + configuredRecipient: recipientUrl, + assertionRecipient: recipient + }); + } + + return valid; }; SAML.prototype.parseAttributes = function (samlAssertion, version) { @@ -315,7 +325,7 @@ SAML.prototype.parseAssertion = function(samlAssertion, options, callback) { } if (self.options.checkRecipient && !self.validateRecipient(samlAssertion, self.options.recipientUrl)) { - return callback(new Error('Recipient is invalid. Configured: ' + self.options.recipientUrl), null); + // return callback(new Error('Recipient is invalid. Configured: ' + self.options.recipientUrl), null); } var profile = self.parseAttributes(samlAssertion, version); diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 4d264fe..6c84202 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -311,7 +311,12 @@ Samlp.prototype = { var destination = responseXML.getAttribute('Destination'); // Check that the destintation attributes matches the recipientUrl (if configured) if (self.options && self.options.checkDestination && destination && destination !== options.recipientUrl){ - return callback(new Error('Destination endpoint ' + destination + ' did not match ' + options.recipientUrl)); + winston.info('Destination validation error', { + log_type: 'destination_validation_error', + configuredRecipient: options.recipientUrl, + assertionDestination: destination + }); + // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + options.recipientUrl)); } // check status diff --git a/package.json b/package.json index 988e53a..16949cd 100644 --- a/package.json +++ b/package.json @@ -24,6 +24,7 @@ "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", "uid2": "0.0.x", + "winston": "0.8.3", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", "xml-encryption": "~0.8.0", "xml2js": "0.1.x", From 5e034bf8478b768f2c0b35a559fffaede52caa8d Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Mon, 25 Jul 2016 12:33:12 -0300 Subject: [PATCH 167/203] Refactor to reduce PR diff --- lib/passport-wsfed-saml2/saml.js | 17 +++-------------- lib/passport-wsfed-saml2/samlp.js | 23 +++++++++-------------- lib/passport-wsfed-saml2/strategy.js | 10 +++++----- lib/passport-wsfed-saml2/utils.js | 2 +- test/fixture/samlp-server.js | 15 +++++++++++---- test/interop.tests.js | 14 +++++++------- test/samlp.tests.js | 4 ++-- test/state/samlp.state.custom.tests.js | 6 +++--- test/state/samlp.state.session.tests.js | 4 ++-- test/state/wsfed.state.custom.tests.js | 6 +++--- test/state/wsfed.state.session.tests.js | 4 ++-- 11 files changed, 48 insertions(+), 57 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 1d71338..3d2fd98 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -269,12 +269,8 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { return profile; }; -SAML.prototype.validateSamlAssertion = function (samlAssertion, options, callback) { +SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { var self = this; - if (typeof options === 'function'){ - callback = options; - options = null; - } if (typeof samlAssertion === 'string') samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion); @@ -285,19 +281,12 @@ SAML.prototype.validateSamlAssertion = function (samlAssertion, options, callbac signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) { if (err) return callback(err); - self.parseAssertion(samlAssertion, options, callback); + self.parseAssertion(samlAssertion, callback); }); }; -SAML.prototype.parseAssertion = function(samlAssertion, options, callback) { - if (typeof options === 'function'){ - callback = options; - options = null; - } - +SAML.prototype.parseAssertion = function(samlAssertion, callback) { var self = this; - self.options.recipientUrl = self.options.recipientUrl || (options && options.recipientUrl); - if (self.options.extractSAMLAssertion){ samlAssertion = self.options.extractSAMLAssertion(samlAssertion); } diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 6c84202..a8e6334 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -288,14 +288,7 @@ Samlp.prototype = { return status; }, - validateSamlResponse: function (samlResponse, options, callback) { - if (typeof options === 'function'){ - callback = options; - options = {}; - } - - options = options || {} - + validateSamlResponse: function (samlResponse, callback) { var self = this; if (typeof samlResponse === 'string') { @@ -309,14 +302,15 @@ Samlp.prototype = { } var destination = responseXML.getAttribute('Destination'); + // Check that the destintation attributes matches the recipientUrl (if configured) - if (self.options && self.options.checkDestination && destination && destination !== options.recipientUrl){ + if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ winston.info('Destination validation error', { log_type: 'destination_validation_error', - configuredRecipient: options.recipientUrl, + configuredRecipient: self.options.destinationUrl, assertionDestination: destination }); - // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + options.recipientUrl)); + // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); } // check status @@ -360,6 +354,7 @@ Samlp.prototype = { } } + self._saml.options.recipientUrl = self._saml.options.recipientUrl || self.options.recipientUrl || self.options.destinationUrl; if (isResponseSigned) { self._saml.validateSignature(samlResponse, { cert: self.options.cert, @@ -370,14 +365,14 @@ Samlp.prototype = { if (err) { return callback(err); } if (!isAssertionSigned) { - return self._saml.parseAssertion(assertion, options, callback); + return self._saml.parseAssertion(assertion, callback); } - return self._saml.validateSamlAssertion(assertion, options, callback); + return self._saml.validateSamlAssertion(assertion, callback); }); } else if (isAssertionSigned) { - return self._saml.validateSamlAssertion(assertion, options, callback); + return self._saml.validateSamlAssertion(assertion, callback); } }); } diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 59b9511..f23e5e9 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -60,9 +60,9 @@ WsFedSaml2Strategy.prototype._authenticate_saml = function (req, state) { self._wsfed.retrieveToken(req, function(err, token) { if (err) return self.fail(err, err.status || 400); - var expected_recipient = self.options.recipientUrl || getReqUrl(req); + self._saml.options.recipientUrl = self.options.recipientUrl || getReqUrl(req); - self._saml.validateSamlAssertion(token, { recipientUrl: expected_recipient }, function (err, profile) { + self._saml.validateSamlAssertion(token, function (err, profile) { if (err) { return self.error(err); } @@ -199,10 +199,10 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { return self.fail('SAMLResponse should be a valid xml', 400); } - var expected_recipient = self.options.recipientUrl || getReqUrl(req); - var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); - self._samlp.validateSamlResponse(samlResponseDom, { recipientUrl: expected_recipient }, function (err, profile) { + self._samlp.options.destinationUrl = self.options.destinationUrl || getReqUrl(req); + + self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { if (err) return self.fail(err, err.status || 400); var verified = function (err, user, info) { diff --git a/lib/passport-wsfed-saml2/utils.js b/lib/passport-wsfed-saml2/utils.js index 2a4920c..ff712a2 100644 --- a/lib/passport-wsfed-saml2/utils.js +++ b/lib/passport-wsfed-saml2/utils.js @@ -1,7 +1,7 @@ function getReqUrl(req){ - return req.protocol + '://' + req.get('host') + req.originalUrl; + return req.protocol + '://' + (req.get('x-forwarded-host') || req.get('host')) + req.originalUrl; } module.exports = { diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 281e008..ae7a78f 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -16,7 +16,8 @@ passport.use('samlp', new Strategy({ realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], - recipientUrl: 'https://auth0-dev-ed.my.salesforce.com' + recipientUrl: 'https://auth0-dev-ed.my.salesforce.com', + destinationUrl: 'https://auth0-dev-ed.my.salesforce.com' }, function(profile, done) { return done(null, profile); }) @@ -97,7 +98,8 @@ passport.use('samlp-signedresponse', new Strategy( realm: 'https://auth0-dev-ed.my.salesforce.com', identityProviderUrl: identityProviderUrl, thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], - recipientUrl: 'https://auth0-dev-ed.my.salesforce.com' + recipientUrl: 'https://auth0-dev-ed.my.salesforce.com', + destinationUrl: 'https://auth0-dev-ed.my.salesforce.com' }, function(profile, done) { return done(null, profile); @@ -110,7 +112,8 @@ passport.use('samlp-signedresponse-invalidcert', new Strategy( realm: 'urn:fixture-test', identityProviderUrl: identityProviderUrl, thumbprints: ['11111111111111111a5b93a43572eb2376fed309'], - recipientUrl: 'https://auth0-dev-ed.my.salesforce.com' + recipientUrl: 'https://auth0-dev-ed.my.salesforce.com', + destinationUrl: 'https://auth0-dev-ed.my.salesforce.com' }, function(profile, done) { return done(null, profile); @@ -134,7 +137,7 @@ passport.use('samlp-signedresponse-signedassertion', new Strategy( path: '/callback', realm: 'urn:auth0:login-dev3', thumbprints: ['C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB'], - recipientUrl: 'https://login-dev3.auth0.com:3000/login/callback', + destinationUrl: 'https://login-dev3.auth0.com:3000/login/callback', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { @@ -147,6 +150,7 @@ passport.use('samlp-ping', new Strategy( path: '/callback', realm: 'urn:auth0:login-dev3', thumbprints: ['44340220770a348444be34970939cff8a2d74f08'], + destinationUrl: 'https://login-dev3.auth0.com:3000/login/callback', recipientUrl: 'https://login-dev3.auth0.com:3000/login/callback', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, @@ -160,6 +164,7 @@ passport.use('samlp-okta', new Strategy( path: '/callback', realm: 'https://auth0145.auth0.com', thumbprints: ['a0c7dbb790e3476d3c5dd236f9f2060b1fd6e253'], + destinationUrl: 'https://auth0145.auth0.com', recipientUrl: 'https://auth0145.auth0.com', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, @@ -188,6 +193,7 @@ passport.use('samlp-with-utf8', new Strategy( thumbprints: ['42FA24A83E107F6842E05D2A2CA0A0A0CA8A2031'], decryptionKey: fs.readFileSync(path.join(__dirname, '../test-decryption.key')), recipientUrl: 'https://fmi-test.auth0.com/login/callback', + destinationUrl: 'https://fmi-test.auth0.com/login/callback', checkExpiration: false, // we are using a precomputed assertion generated from a sample idp feide checkAudience: false }, @@ -201,6 +207,7 @@ passport.use('samlp-with-dsig-at-root', new Strategy( path: '/callback', checkExpiration: false, // we are using a precomputed assertion generated from a sample idp checkAudience: false, + checkDestination: false, cert: pemToCert(fs.readFileSync(path.join(__dirname, '../test-auth0.pem'))) }, function(profile, done) { diff --git a/test/interop.tests.js b/test/interop.tests.js index 6e0785a..ff3a156 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -50,6 +50,7 @@ describe('interop', function () { uri: 'http://localhost:5051/callback/samlp-signedresponse-signedassertion', form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZjEzOGQyZTUzMWQ0NjI0ZmNhZmQ4OGJlYWNmN2VjMzkwMzRmMmEzNzRkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMy0wNy0wN1QxMTo1NToxOFoiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2YxMzhkMmU1MzFkNDYyNGZjYWZkODhiZWFjZjdlYzM5MDM0ZjJhMzc0ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+VXJHUURDSGF0eTRjNzZqTW5oWmZZb09qQ1RFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5uSGZLUDRzbXliTHQxRTdwNVZJMkttUnZtL3RYMEpVRVNGYUN6ejM4M1RDMWpTU2JaODZKSVJYSVdMRXl1WTJCOTJBNHdmdC8zaHhqV2ZBNTNWUFdsYS93UzBEcitRbzUxU2svTzZNek1tbXRXakx2WVZhTDhvQ3lZUFZHSDlyWXZ4cnlnVXFyVkZDZVZhS3U5Y1VwVWpPdXZTYzM1dUovOEJFZUZ1cTdBMm89PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2l6Q0NBZlFDQ1FDWTh0S2FNYzBCTWpBTkJna3Foa2lHOXcwQkFRVUZBRENCaVRFTE1Ba0dBMVVFQmhNQ1RrOHhFakFRQmdOVkJBZ1RDVlJ5YjI1a2FHVnBiVEVRTUE0R0ExVUVDaE1IVlU1SlRrVlVWREVPTUF3R0ExVUVDeE1GUm1WcFpHVXhHVEFYQmdOVkJBTVRFRzl3Wlc1cFpIQXVabVZwWkdVdWJtOHhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtRnVaSEpsWVhNdWMyOXNZbVZ5WjBCMWJtbHVaWFIwTG01dk1CNFhEVEE0TURVd09EQTVNakkwT0ZvWERUTTFNRGt5TXpBNU1qSTBPRm93Z1lreEN6QUpCZ05WQkFZVEFrNVBNUkl3RUFZRFZRUUlFd2xVY205dVpHaGxhVzB4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4RGpBTUJnTlZCQXNUQlVabGFXUmxNUmt3RndZRFZRUURFeEJ2Y0dWdWFXUndMbVpsYVdSbExtNXZNU2t3SndZSktvWklodmNOQVFrQkZocGhibVJ5WldGekxuTnZiR0psY21kQWRXNXBibVYwZEM1dWJ6Q0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUF0OGpMb3FJMVZUbHhBWjJheGlESVRoV2NBT1hkdThLa1ZVV2FOL1Nvb085TzBRUTdLUlVqU0dLTjlKSzY1QUZSRFhRa1dQQXU0SGxuTzRub1lsRlNMbll5RHhJNjZMQ3I3MXg0bGdGSmpxTGVBdkIvR3FCcUZmSVozWUsvTnJoblVxRndadTYzbkxyWmpjVVp4TmFQak9PU1JTRGFYcHYxa2I1azNqT2lTR0VDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQlFZajRjQWFmV2FZZmpCVTJ6aTFFbHdTdElhSjVueXAvcy84QjhTQVBLMlQ3OU1jTXljY1Azd1NXMTNMSGttTTFqd0tlM0FDRlhCdnFHUU4wSWJjSDQ5aHUwRktoWUZNL0dQREpjSUhGQnNpeU1CWENocHllOXZCYVRORUJDdFUzS2pqeUcwaFJUMm1BUTloK2JrUG1PdmxFby9hSDB4UjY4WjlodzRQRjEzdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEzLTA3LTA3VDExOjU1OjE4WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vb3BlbmlkcC5mZWlkZS5ubzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI19lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlZPWVNVQlZZSUNvTWJwbk5INEVCRHhBUWtKTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RW1rR1docVZvZ25vNWhja01UcG9ySHFwT0szVDZpZ2JRVXA2Zmkxc1pvcXFsd3cxSUtmc3REMW1LdzVjM21JcldyNjFnOTh4TFMxLzBnMW5hUWlpT0MzbDl6Y0g3QUFIOVdGWW5JejdGeUE4dmllKzBxTE1Dbno4cVVpZ21HWDNRbEdiQ1QzUHVUNDEzUWlZSm9DT2VXME5zYUpaWUNINUFOWnprSUJsdG9nPTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNpekNDQWZRQ0NRQ1k4dEthTWMwQk1qQU5CZ2txaGtpRzl3MEJBUVVGQURDQmlURUxNQWtHQTFVRUJoTUNUazh4RWpBUUJnTlZCQWdUQ1ZSeWIyNWthR1ZwYlRFUU1BNEdBMVVFQ2hNSFZVNUpUa1ZVVkRFT01Bd0dBMVVFQ3hNRlJtVnBaR1V4R1RBWEJnTlZCQU1URUc5d1pXNXBaSEF1Wm1WcFpHVXVibTh4S1RBbkJna3Foa2lHOXcwQkNRRVdHbUZ1WkhKbFlYTXVjMjlzWW1WeVowQjFibWx1WlhSMExtNXZNQjRYRFRBNE1EVXdPREE1TWpJME9Gb1hEVE0xTURreU16QTVNakkwT0Zvd2dZa3hDekFKQmdOVkJBWVRBazVQTVJJd0VBWURWUVFJRXdsVWNtOXVaR2hsYVcweEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReERqQU1CZ05WQkFzVEJVWmxhV1JsTVJrd0Z3WURWUVFERXhCdmNHVnVhV1J3TG1abGFXUmxMbTV2TVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBoYm1SeVpXRnpMbk52YkdKbGNtZEFkVzVwYm1WMGRDNXViekNCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBdDhqTG9xSTFWVGx4QVoyYXhpRElUaFdjQU9YZHU4S2tWVVdhTi9Tb29POU8wUVE3S1JValNHS045Sks2NUFGUkRYUWtXUEF1NEhsbk80bm9ZbEZTTG5ZeUR4STY2TENyNzF4NGxnRkpqcUxlQXZCL0dxQnFGZklaM1lLL05yaG5VcUZ3WnU2M25MclpqY1VaeE5hUGpPT1NSU0RhWHB2MWtiNWszak9pU0dFQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUJRWWo0Y0FhZldhWWZqQlUyemkxRWx3U3RJYUo1bnlwL3MvOEI4U0FQSzJUNzlNY015Y2NQM3dTVzEzTEhrbU0xandLZTNBQ0ZYQnZxR1FOMEliY0g0OWh1MEZLaFlGTS9HUERKY0lIRkJzaXlNQlhDaHB5ZTl2QmFUTkVCQ3RVM0tqanlHMGhSVDJtQVE5aCtia1BtT3ZsRW8vYUgweFI2OFo5aHc0UEYxM3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0idXJuOmF1dGgwOmxvZ2luLWRldjMiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fOTVkYThhZjQ4MjY4NmEwY2VjZDY0Y2I3Y2FmOGU4NzFiN2FjMTFkYWUxPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA3LTA3VDEyOjAwOjE4WiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDctMDdUMTE6NTQ6NDhaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTI6MDA6MThaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnVybjphdXRoMDpsb2dpbi1kZXYzPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wNy0wN1QxMToxMTo0MVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTk6NTU6MThaIiBTZXNzaW9uSW5kZXg9Il81ZDA2MDZhMGIxZmQ5Nzk4ZDJhMjg3MjE5M2UzOWE5MDdhM2MwYmE0MTUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJjbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPk1hdGlhcyBXb2xvc2tpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXRpYXN3QGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraUBybmQuZmVpZGUubm88L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uVGFyZ2V0ZWRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPjFiMTI0NmQ3MjgxOTdiYjQ3ZDA5MzQyYWE0ZjZjM2Y0N2Y0ZTkyYWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPldvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzIFdvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+bWF0aWFzd0BnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjYiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj53b2xvc2tpQHJuZC5mZWlkZS5ubzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xYjEyNDZkNzI4MTk3YmI0N2QwOTM0MmFhNGY2YzNmNDdmNGU5MmFlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+' } }, function(err, response, body) { + console.log(body); if(err) return done(err); if (response.statusCode !== 200) return done(new Error(response.body)); r = response; @@ -210,19 +211,18 @@ describe('interop', function () { var samlOptions = { thumbprints: ['6BF18C1DE16D8A6C7B79A0997EF96DEEF90CBF98'], realm: 'urn:auth0:pwctest:SiteminderDev', - recipientUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev', checkExpiration: false }; var samlpOptions = { - protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' + protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + destinationUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev' }; var sm = new SamlPassport(samlOptions); var sp = new samlp(samlpOptions, sm); sp.validateSamlResponse(new Buffer(response, 'base64').toString(), - samlOptions, function(err, profile){ if (err) return done(err); assert.ok(profile); @@ -237,12 +237,12 @@ describe('interop', function () { var samlOptions = { thumbprints: ['bc58b95946e0c96b464b561b02d740aeae88875a'], realm: 'urn:auth0:netformx:emc-test', - recipientUrl: 'https://fmi-test.auth0.com/login/callback', checkExpiration: false }; var samlpOptions = { - protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' + protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + destinationUrl: 'https://fmi-test.auth0.com/login/callback', }; var sm = new SamlPassport(samlOptions); @@ -266,19 +266,18 @@ describe('interop', function () { cert: cert, thumbprints: ['bc58b95946e0c96b464b561b02d740aeae88875a'], realm: 'urn:auth0:netformx:emc-test', - recipientUrl: 'https://netformx.auth0.com/login/callback?connection=emc-test', checkExpiration: false }; var samlpOptions = { cert: cert, + destinationUrl: 'https://netformx.auth0.com/login/callback?connection=emc-test', }; var sm = new SamlPassport(samlOptions); var sp = new samlp(samlpOptions, sm); sp.validateSamlResponse(new Buffer(response, 'base64').toString(), - samlOptions, function(err, profile){ if (err) return done(err); assert.ok(profile); @@ -303,6 +302,7 @@ describe('interop', function () { thumbprints: ['ANOTHER_THUMB'], realm: 'urn:auth0:wptest:PepeSAML', recipientUrl: 'https://fmi-test.auth0.com/login/callback', + destinationUrl: 'https://fmi-test.auth0.com/login/callback', checkExpiration: false, }; diff --git a/test/samlp.tests.js b/test/samlp.tests.js index cdf8d5d..94db24c 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -623,8 +623,8 @@ describe('samlp (unit tests)', function () { }); it('should return error for Destination does not match', function(done){ - var samlp = new Samlp({ }); - samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, { recipientUrl: 'invalid' }, function (err) { + var samlp = new Samlp({ destinationUrl: 'invalid' }); + samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { expect(err).to.be.ok; expect(err.name).to.equals('Error'); expect(err.message).to.equal('Destination endpoint https://auth0-dev-ed.my.salesforce.com did not match invalid'); diff --git a/test/state/samlp.state.custom.tests.js b/test/state/samlp.state.custom.tests.js index 789821d..e479290 100644 --- a/test/state/samlp.state.custom.tests.js +++ b/test/state/samlp.state.custom.tests.js @@ -129,7 +129,7 @@ describe('samlp - using custom session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, options, done) { + strategy._samlp.validateSamlResponse = function(token, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -253,7 +253,7 @@ describe('samlp - using custom session state store', function() { return done(null, profile); }); - strategy._samlp.validateSamlResponse = function(token, options, done) { + strategy._samlp.validateSamlResponse = function(token, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -312,7 +312,7 @@ describe('samlp - using custom session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, options, done) { + strategy._samlp.validateSamlResponse = function(token, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; diff --git a/test/state/samlp.state.session.tests.js b/test/state/samlp.state.session.tests.js index 81f086a..3b4dde7 100644 --- a/test/state/samlp.state.session.tests.js +++ b/test/state/samlp.state.session.tests.js @@ -120,7 +120,7 @@ describe('samlp - using default session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, options, done) { + strategy._samlp.validateSamlResponse = function(token, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; @@ -356,7 +356,7 @@ describe('samlp - using default session state store', function() { return done(null, profile, { message: 'Hello' }); }); - strategy._samlp.validateSamlResponse = function(token, options, done) { + strategy._samlp.validateSamlResponse = function(token, done) { expect(token).to.be.an.object; done(null, { id: '1234' }); }; diff --git a/test/state/wsfed.state.custom.tests.js b/test/state/wsfed.state.custom.tests.js index aa0af7a..7c103f4 100644 --- a/test/state/wsfed.state.custom.tests.js +++ b/test/state/wsfed.state.custom.tests.js @@ -129,7 +129,7 @@ describe('wsfed - using custom session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, options, done) { + strategy._saml.validateSamlAssertion = function(token, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -257,7 +257,7 @@ describe('wsfed - using custom session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, options, done) { + strategy._saml.validateSamlAssertion = function(token, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -320,7 +320,7 @@ describe('wsfed - using custom session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, options, done) { + strategy._saml.validateSamlAssertion = function(token, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; diff --git a/test/state/wsfed.state.session.tests.js b/test/state/wsfed.state.session.tests.js index 0355f88..3c4bf3d 100644 --- a/test/state/wsfed.state.session.tests.js +++ b/test/state/wsfed.state.session.tests.js @@ -121,7 +121,7 @@ describe('wsfed - using default session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, options, done) { + strategy._saml.validateSamlAssertion = function(token, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; @@ -361,7 +361,7 @@ describe('wsfed - using default session state store', function() { return '...'; }; - strategy._saml.validateSamlAssertion = function(token, options, done) { + strategy._saml.validateSamlAssertion = function(token, done) { expect(token).to.equal('...'); done(null, { id: '1234' }); }; From 9ed95434fa4e379831d04f79e61b3d8ff8bbc645 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Mon, 25 Jul 2016 13:37:25 -0300 Subject: [PATCH 168/203] Added more comments --- lib/passport-wsfed-saml2/saml.js | 6 ++++++ lib/passport-wsfed-saml2/samlp.js | 10 ++++++++-- lib/passport-wsfed-saml2/strategy.js | 8 ++++++-- test/fixture/samlp-server.js | 1 + test/interop.tests.js | 8 +++++--- test/saml20.tests.js | 1 - 6 files changed, 26 insertions(+), 8 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 3d2fd98..5e35adf 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -137,6 +137,12 @@ SAML.prototype.validateAudience = function (samlAssertion, realm, version) { return cryptiles.fixedTimeComparison(audience[0].textContent, realm); }; +// https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf +// Page 19 of 91 +// Recipient [Optional] +// A URI specifying the entity or location to which an attesting entity can present the assertion. For +// example, this attribute might indicate that the assertion must be delivered to a particular network +// endpoint in order to prevent an intermediary from redirecting it someplace else. SAML.prototype.validateRecipient = function(samlAssertion, recipientUrl){ var subjectConfirmationData = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='SubjectConfirmation']/*[local-name(.)='SubjectConfirmationData']", samlAssertion); diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index a8e6334..9381ca7 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -303,7 +303,14 @@ Samlp.prototype = { var destination = responseXML.getAttribute('Destination'); - // Check that the destintation attributes matches the recipientUrl (if configured) + // https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf + // Page 36 of 91 + // Destination [Optional] + // A URI reference indicating the address to which this request has been sent. This is useful to prevent + // malicious forwarding of requests to unintended recipients, a protection that is required by some + // protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the + // location at which the message was received. If it does not, the request MUST be discarded. Some + // protocol bindings may require the use of this attribute (see [SAMLBind]). if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ winston.info('Destination validation error', { log_type: 'destination_validation_error', @@ -354,7 +361,6 @@ Samlp.prototype = { } } - self._saml.options.recipientUrl = self._saml.options.recipientUrl || self.options.recipientUrl || self.options.destinationUrl; if (isResponseSigned) { self._saml.validateSignature(samlResponse, { cert: self.options.cert, diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index f23e5e9..303e226 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -60,7 +60,7 @@ WsFedSaml2Strategy.prototype._authenticate_saml = function (req, state) { self._wsfed.retrieveToken(req, function(err, token) { if (err) return self.fail(err, err.status || 400); - self._saml.options.recipientUrl = self.options.recipientUrl || getReqUrl(req); + self.options.recipientUrl = self.options.recipientUrl || getReqUrl(req); self._saml.validateSamlAssertion(token, function (err, profile) { if (err) { @@ -200,7 +200,11 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { } var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); - self._samlp.options.destinationUrl = self.options.destinationUrl || getReqUrl(req); + + // If options are not set, we set the expected value from the request object + var req_full_url = getReqUrl(req); + self.options.destinationUrl = self.options.destinationUrl || req_full_url; + self.options.recipientUrl = self.options.recipientUrl || req_full_url; self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { if (err) return self.fail(err, err.status || 400); diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index ae7a78f..5a67fe6 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -138,6 +138,7 @@ passport.use('samlp-signedresponse-signedassertion', new Strategy( realm: 'urn:auth0:login-dev3', thumbprints: ['C9ED4DFB07CAF13FC21E0FEC1572047EB8A7A4CB'], destinationUrl: 'https://login-dev3.auth0.com:3000/login/callback', + recipientUrl: 'https://login-dev3.auth0.com:3000/login/callback', checkExpiration: false // we are using a precomputed assertion generated from a sample idp feide }, function(profile, done) { diff --git a/test/interop.tests.js b/test/interop.tests.js index ff3a156..390a971 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -211,12 +211,13 @@ describe('interop', function () { var samlOptions = { thumbprints: ['6BF18C1DE16D8A6C7B79A0997EF96DEEF90CBF98'], realm: 'urn:auth0:pwctest:SiteminderDev', - checkExpiration: false + checkExpiration: false, + recipientUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev' }; var samlpOptions = { protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', - destinationUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev' + destinationUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev' }; var sm = new SamlPassport(samlOptions); @@ -266,7 +267,8 @@ describe('interop', function () { cert: cert, thumbprints: ['bc58b95946e0c96b464b561b02d740aeae88875a'], realm: 'urn:auth0:netformx:emc-test', - checkExpiration: false + checkExpiration: false, + recipientUrl: 'https://netformx.auth0.com/login/callback?connection=emc-test' }; var samlpOptions = { diff --git a/test/saml20.tests.js b/test/saml20.tests.js index df03716..fd5ef10 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -94,7 +94,6 @@ describe('saml 2.0 assertion', function () { should.not.exists(profile); done(); }); - }); it('should extract authentication context from assertion as a user prop', function (done) { From 07c53fa97e77e8071e1b56f136b14827058485a0 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 29 Jul 2016 13:45:46 -0300 Subject: [PATCH 169/203] Replaced winston with event emitter --- lib/passport-wsfed-saml2/saml.js | 12 ++++++------ lib/passport-wsfed-saml2/samlp.js | 8 ++++---- lib/passport-wsfed-saml2/strategy.js | 4 ++++ package.json | 1 - 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 5e35adf..6dcaac4 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -5,7 +5,7 @@ var crypto = require('crypto'); var xmldom = require('xmldom'); var xpath = require('xpath'); var cryptiles = require('cryptiles'); -var winston = require('winston'); +var EventEmitter = require('events'); var ELEMENT_NODE = 1; @@ -23,6 +23,7 @@ var SAML = function (options) { this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true; this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; this.options.checkRecipient = (typeof this.options.checkRecipient !== 'undefined') ? this.options.checkRecipient : true; + this.eventEmitter = this.options.eventEmitter || new EventEmitter(); }; SAML.prototype.certToPEM = function (cert) { @@ -157,11 +158,10 @@ SAML.prototype.validateRecipient = function(samlAssertion, recipientUrl){ var valid = !recipient || recipient === recipientUrl; if (!valid){ - winston.info('Recipient validation error', { - log_type: 'recipient_validation_error', - configuredRecipient: recipientUrl, - assertionRecipient: recipient - }); + this.eventEmitter.emit('recipientValidationFailed', { + configuredRecipient: recipientUrl, + assertionRecipient: recipient + }); } return valid; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 9381ca7..e49c435 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -9,7 +9,7 @@ var crypto = require('crypto'); var querystring = require('querystring'); var SignedXml = require('xml-crypto').SignedXml; var templates = require('./templates'); -var winston = require('winston'); +var EventEmitter = require('events'); var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); @@ -35,6 +35,7 @@ var Samlp = module.exports = function Samlp (options, saml) { } this.options.checkDestination = (typeof this.options.checkDestination !== 'undefined') ? this.options.checkDestination : true; + this.eventEmitter = this.options.eventEmitter || new EventEmitter(); this._saml = saml; }; @@ -312,9 +313,8 @@ Samlp.prototype = { // location at which the message was received. If it does not, the request MUST be discarded. Some // protocol bindings may require the use of this attribute (see [SAMLBind]). if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ - winston.info('Destination validation error', { - log_type: 'destination_validation_error', - configuredRecipient: self.options.destinationUrl, + this.eventEmitter.emit('destintationValidationFailed', { + configuredDestination: self.options.destinationUrl, assertionDestination: destination }); // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 303e226..cbb89d3 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -7,6 +7,7 @@ var saml = require('./saml'); var wsfed = require('./wsfederation'); var samlp = require('./samlp'); var getReqUrl = require('./utils').getReqUrl; +var EventEmitter = require('events'); var NullStateStore = require('./state/null'); var SessionStateStore = require('./state/session'); @@ -19,6 +20,7 @@ function WsFedSaml2Strategy (options, verify) { this.options = options || {}; this.options.protocol = this.options.protocol || 'wsfed'; + this.options.eventEmitter = this.options.eventEmitter || new EventEmitter(); if (!verify) { throw new Error('this strategy requires a verify function'); @@ -50,6 +52,8 @@ function WsFedSaml2Strategy (options, verify) { this._stateStore = new NullStateStore(); } } + + this.events = this.options.eventEmitter; } util.inherits(WsFedSaml2Strategy, Strategy); diff --git a/package.json b/package.json index 16949cd..988e53a 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,6 @@ "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", "uid2": "0.0.x", - "winston": "0.8.3", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", "xml-encryption": "~0.8.0", "xml2js": "0.1.x", From 3e03dbcbca5ba3ff992d51e8dfd7cc6a49346015 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 29 Jul 2016 15:25:30 -0300 Subject: [PATCH 170/203] Added isValidResponseId method --- lib/passport-wsfed-saml2/samlp.js | 140 ++++++++++++++++-------------- 1 file changed, 75 insertions(+), 65 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index e49c435..9972df2 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -23,6 +23,10 @@ var ErrorMessages = { 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed' : 'The responding provider was unable to successfully authenticate the principal' }; +function isValidResponseID(samlResponseID, done){ + return done(); +} + var Samlp = module.exports = function Samlp (options, saml) { this.options = options || {}; @@ -37,6 +41,8 @@ var Samlp = module.exports = function Samlp (options, saml) { this.options.checkDestination = (typeof this.options.checkDestination !== 'undefined') ? this.options.checkDestination : true; this.eventEmitter = this.options.eventEmitter || new EventEmitter(); this._saml = saml; + + this.isValidResponseID = this.options.isValidResponseID || isValidResponseID; }; function getProp(obj, path) { @@ -302,84 +308,88 @@ Samlp.prototype = { return callback(new Error('XML is not a valid saml response')); } - var destination = responseXML.getAttribute('Destination'); - - // https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf - // Page 36 of 91 - // Destination [Optional] - // A URI reference indicating the address to which this request has been sent. This is useful to prevent - // malicious forwarding of requests to unintended recipients, a protection that is required by some - // protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the - // location at which the message was received. If it does not, the request MUST be discarded. Some - // protocol bindings may require the use of this attribute (see [SAMLBind]). - if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ - this.eventEmitter.emit('destintationValidationFailed', { - configuredDestination: self.options.destinationUrl, - assertionDestination: destination - }); - // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); - } + self.isValidResponseID(responseXML.getAttribute('ID'), function(err){ + if (err) return callback(err); - // check status - var samlStatus = self.getSamlStatus(samlResponse); + var destination = responseXML.getAttribute('Destination'); + + // https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf + // Page 36 of 91 + // Destination [Optional] + // A URI reference indicating the address to which this request has been sent. This is useful to prevent + // malicious forwarding of requests to unintended recipients, a protection that is required by some + // protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the + // location at which the message was received. If it does not, the request MUST be discarded. Some + // protocol bindings may require the use of this attribute (see [SAMLBind]). + if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ + self.eventEmitter.emit('destintationValidationFailed', { + configuredDestination: self.options.destinationUrl, + assertionDestination: destination + }); + // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); + } - // Check if this is a known error - var errorMessage = ErrorMessages[samlStatus.subCode] || - ErrorMessages[samlStatus.code]; + // check status + var samlStatus = self.getSamlStatus(samlResponse); - if (errorMessage) { - // Return auth failed with the actual message or a friendly message - return callback (new AuthenticationFailedError(samlStatus.message || errorMessage, samlStatus.detail)); - } + // Check if this is a known error + var errorMessage = ErrorMessages[samlStatus.subCode] || + ErrorMessages[samlStatus.code]; - // extract assertion - self.extractAssertion(samlResponse, function (err, assertion) { - if (err) { return callback(err); } - if (!assertion) { - return callback(new Error('saml response does not contain an Assertion element (Status: ' + samlStatus.code + ')')); + if (errorMessage) { + // Return auth failed with the actual message or a friendly message + return callback (new AuthenticationFailedError(samlStatus.message || errorMessage, samlStatus.detail)); } - var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; - var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - var isAssertionSigned = xpath.select(samlAssertionSignaturePath, assertion).length > 0; + // extract assertion + self.extractAssertion(samlResponse, function (err, assertion) { + if (err) { return callback(err); } + if (!assertion) { + return callback(new Error('saml response does not contain an Assertion element (Status: ' + samlStatus.code + ')')); + } - if (!isResponseSigned && !isAssertionSigned) { - return callback(new Error('neither the response nor the assertion are signed')); - } + var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; + var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isAssertionSigned = xpath.select(samlAssertionSignaturePath, assertion).length > 0; - if (isAssertionSigned) { - var assertionSignature = xpath.select(samlAssertionSignaturePath, assertion)[0]; - if (assertionSignature.prefix) { - try { - var dsigNamespace = assertionSignature.lookupNamespaceURI(assertionSignature.prefix); - if (dsigNamespace && !assertionSignature.getAttribute('xmlns:' + assertionSignature.prefix)) { - // saml assertion signature has a prefix but namespace is defined on parent, copy it to assertion - assertion.setAttribute('xmlns:' + assertionSignature.prefix, dsigNamespace); - } - } catch(e) {} + if (!isResponseSigned && !isAssertionSigned) { + return callback(new Error('neither the response nor the assertion are signed')); } - } - if (isResponseSigned) { - self._saml.validateSignature(samlResponse, { - cert: self.options.cert, - thumbprints: self.options.thumbprints, - signaturePath: samlResponseSignaturePath - }, - function (err) { - if (err) { return callback(err); } - - if (!isAssertionSigned) { - return self._saml.parseAssertion(assertion, callback); + if (isAssertionSigned) { + var assertionSignature = xpath.select(samlAssertionSignaturePath, assertion)[0]; + if (assertionSignature.prefix) { + try { + var dsigNamespace = assertionSignature.lookupNamespaceURI(assertionSignature.prefix); + if (dsigNamespace && !assertionSignature.getAttribute('xmlns:' + assertionSignature.prefix)) { + // saml assertion signature has a prefix but namespace is defined on parent, copy it to assertion + assertion.setAttribute('xmlns:' + assertionSignature.prefix, dsigNamespace); + } + } catch(e) {} } + } + if (isResponseSigned) { + self._saml.validateSignature(samlResponse, { + cert: self.options.cert, + thumbprints: self.options.thumbprints, + signaturePath: samlResponseSignaturePath + }, + function (err) { + if (err) { return callback(err); } + + if (!isAssertionSigned) { + return self._saml.parseAssertion(assertion, callback); + } + + return self._saml.validateSamlAssertion(assertion, callback); + }); + } + else if (isAssertionSigned) { return self._saml.validateSamlAssertion(assertion, callback); - }); - } - else if (isAssertionSigned) { - return self._saml.validateSamlAssertion(assertion, callback); - } + } + }); }); } }; From 17b7f2bc47279aaf99a3c58fbb1cd4e6bb51dc45 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 29 Jul 2016 17:38:59 -0300 Subject: [PATCH 171/203] Added unit test --- test/samlp.tests.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 94db24c..3615e14 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -631,6 +631,18 @@ describe('samlp (unit tests)', function () { done(); }); }); + + it('should return error for if isValidResponseID fails', function(done){ + var samlp = new Samlp({ destinationUrl: 'invalid', isValidResponseID: function(samlResponseID, done) { + return done(new Error('Invalid response id')) + } }); + samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('Error'); + expect(err.message).to.equal('Invalid response id'); + done(); + }); + }); }); describe('getSamlStatus', function(){ From 7ec28066ffd32790a1c442438eb9c93ce8e8d728 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 29 Jul 2016 19:31:48 -0300 Subject: [PATCH 172/203] Included inresponseto validation --- lib/passport-wsfed-saml2/saml.js | 40 +++++++++++++++++++++----------- test/saml20.tests.js | 17 ++++++++++++++ 2 files changed, 43 insertions(+), 14 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 6dcaac4..57be706 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -9,8 +9,12 @@ var EventEmitter = require('events'); var ELEMENT_NODE = 1; +function isValidInResponseTo(samlResponseID, done){ + return done(); +} + var SAML = function (options) { - this.options = options; + this.options = options || {}; if (this.options.thumbprint) { this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]); @@ -24,6 +28,8 @@ var SAML = function (options) { this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; this.options.checkRecipient = (typeof this.options.checkRecipient !== 'undefined') ? this.options.checkRecipient : true; this.eventEmitter = this.options.eventEmitter || new EventEmitter(); + + this.isValidInResponseTo = this.options.isValidInResponseTo || isValidInResponseTo; }; SAML.prototype.certToPEM = function (cert) { @@ -323,23 +329,29 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { // return callback(new Error('Recipient is invalid. Configured: ' + self.options.recipientUrl), null); } - var profile = self.parseAttributes(samlAssertion, version); + var inResponseTo = samlAssertion.getAttribute('InResponseTo'); - var issuer; - if (version === '2.0') { - var issuerNode = xpath.select("//*[local-name(.)='Issuer']", samlAssertion); - if (issuerNode.length > 0) issuer = issuerNode[0].textContent; - } else { - issuer = samlAssertion.getAttribute('Issuer'); - } + self.isValidInResponseTo(inResponseTo, function(err){ + if (err) return callback(err); - profile.issuer = issuer; + var profile = self.parseAttributes(samlAssertion, version); - if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { - profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; - } + var issuer; + if (version === '2.0') { + var issuerNode = xpath.select("//*[local-name(.)='Issuer']", samlAssertion); + if (issuerNode.length > 0) issuer = issuerNode[0].textContent; + } else { + issuer = samlAssertion.getAttribute('Issuer'); + } + + profile.issuer = issuer; - callback(null, profile); + if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { + profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; + } + + callback(null, profile); + }); }; exports.SAML = SAML; diff --git a/test/saml20.tests.js b/test/saml20.tests.js index fd5ef10..0c20217 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -96,6 +96,23 @@ describe('saml 2.0 assertion', function () { }); }); + it('should call InReponseTo validation function', function (done) { + options.lifetimeInSeconds = 600; + options.recipient = 'bar'; + var signedAssertion = saml20.create(options); + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', recipientUrl: 'bar', isValidInResponseTo: function(inResponseTo, done){ + return done(new Error('validation error')) + }}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + should.exists(err); + err.message.should.equal('validation error'); + should.not.exists(profile); + done(); + }); + }); + + it('should extract authentication context from assertion as a user prop', function (done) { var options = { From 1a8b137ae5a6ce6c03e3339fda8c5c55395b5f6a Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 29 Jul 2016 19:39:51 -0300 Subject: [PATCH 173/203] Moved validation and fixed test --- lib/passport-wsfed-saml2/saml.js | 38 +++----- lib/passport-wsfed-saml2/samlp.js | 143 ++++++++++++++++-------------- test/saml20.tests.js | 17 ---- test/samlp.tests.js | 13 +++ 4 files changed, 101 insertions(+), 110 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 57be706..dc7cf32 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -9,10 +9,6 @@ var EventEmitter = require('events'); var ELEMENT_NODE = 1; -function isValidInResponseTo(samlResponseID, done){ - return done(); -} - var SAML = function (options) { this.options = options || {}; @@ -28,8 +24,6 @@ var SAML = function (options) { this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; this.options.checkRecipient = (typeof this.options.checkRecipient !== 'undefined') ? this.options.checkRecipient : true; this.eventEmitter = this.options.eventEmitter || new EventEmitter(); - - this.isValidInResponseTo = this.options.isValidInResponseTo || isValidInResponseTo; }; SAML.prototype.certToPEM = function (cert) { @@ -329,29 +323,23 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { // return callback(new Error('Recipient is invalid. Configured: ' + self.options.recipientUrl), null); } - var inResponseTo = samlAssertion.getAttribute('InResponseTo'); - - self.isValidInResponseTo(inResponseTo, function(err){ - if (err) return callback(err); - - var profile = self.parseAttributes(samlAssertion, version); + var profile = self.parseAttributes(samlAssertion, version); - var issuer; - if (version === '2.0') { - var issuerNode = xpath.select("//*[local-name(.)='Issuer']", samlAssertion); - if (issuerNode.length > 0) issuer = issuerNode[0].textContent; - } else { - issuer = samlAssertion.getAttribute('Issuer'); - } + var issuer; + if (version === '2.0') { + var issuerNode = xpath.select("//*[local-name(.)='Issuer']", samlAssertion); + if (issuerNode.length > 0) issuer = issuerNode[0].textContent; + } else { + issuer = samlAssertion.getAttribute('Issuer'); + } - profile.issuer = issuer; + profile.issuer = issuer; - if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { - profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; - } + if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { + profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; + } - callback(null, profile); - }); + callback(null, profile); }; exports.SAML = SAML; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 9972df2..c80d8c7 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -23,7 +23,7 @@ var ErrorMessages = { 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed' : 'The responding provider was unable to successfully authenticate the principal' }; -function isValidResponseID(samlResponseID, done){ +function ignoreValidationFunction(samlResponseID, done){ return done(); } @@ -42,7 +42,8 @@ var Samlp = module.exports = function Samlp (options, saml) { this.eventEmitter = this.options.eventEmitter || new EventEmitter(); this._saml = saml; - this.isValidResponseID = this.options.isValidResponseID || isValidResponseID; + this.isValidResponseID = this.options.isValidResponseID || ignoreValidationFunction; + this.isValidInResponseTo = this.options.isValidInResponseTo || ignoreValidationFunction; }; function getProp(obj, path) { @@ -311,84 +312,90 @@ Samlp.prototype = { self.isValidResponseID(responseXML.getAttribute('ID'), function(err){ if (err) return callback(err); - var destination = responseXML.getAttribute('Destination'); - - // https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf - // Page 36 of 91 - // Destination [Optional] - // A URI reference indicating the address to which this request has been sent. This is useful to prevent - // malicious forwarding of requests to unintended recipients, a protection that is required by some - // protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the - // location at which the message was received. If it does not, the request MUST be discarded. Some - // protocol bindings may require the use of this attribute (see [SAMLBind]). - if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ - self.eventEmitter.emit('destintationValidationFailed', { - configuredDestination: self.options.destinationUrl, - assertionDestination: destination - }); - // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); - } - - // check status - var samlStatus = self.getSamlStatus(samlResponse); + var inResponseTo = responseXML.getAttribute('InResponseTo'); + + self.isValidInResponseTo(inResponseTo, function(err){ + if (err) return callback(err); + + var destination = responseXML.getAttribute('Destination'); + + // https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf + // Page 36 of 91 + // Destination [Optional] + // A URI reference indicating the address to which this request has been sent. This is useful to prevent + // malicious forwarding of requests to unintended recipients, a protection that is required by some + // protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the + // location at which the message was received. If it does not, the request MUST be discarded. Some + // protocol bindings may require the use of this attribute (see [SAMLBind]). + if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ + self.eventEmitter.emit('destintationValidationFailed', { + configuredDestination: self.options.destinationUrl, + assertionDestination: destination + }); + // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); + } - // Check if this is a known error - var errorMessage = ErrorMessages[samlStatus.subCode] || - ErrorMessages[samlStatus.code]; + // check status + var samlStatus = self.getSamlStatus(samlResponse); - if (errorMessage) { - // Return auth failed with the actual message or a friendly message - return callback (new AuthenticationFailedError(samlStatus.message || errorMessage, samlStatus.detail)); - } + // Check if this is a known error + var errorMessage = ErrorMessages[samlStatus.subCode] || + ErrorMessages[samlStatus.code]; - // extract assertion - self.extractAssertion(samlResponse, function (err, assertion) { - if (err) { return callback(err); } - if (!assertion) { - return callback(new Error('saml response does not contain an Assertion element (Status: ' + samlStatus.code + ')')); + if (errorMessage) { + // Return auth failed with the actual message or a friendly message + return callback (new AuthenticationFailedError(samlStatus.message || errorMessage, samlStatus.detail)); } - var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; - var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; - var isAssertionSigned = xpath.select(samlAssertionSignaturePath, assertion).length > 0; + // extract assertion + self.extractAssertion(samlResponse, function (err, assertion) { + if (err) { return callback(err); } + if (!assertion) { + return callback(new Error('saml response does not contain an Assertion element (Status: ' + samlStatus.code + ')')); + } - if (!isResponseSigned && !isAssertionSigned) { - return callback(new Error('neither the response nor the assertion are signed')); - } + var samlResponseSignaturePath = "//*[local-name(.)='Response']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isResponseSigned = xpath.select(samlResponseSignaturePath, samlResponse).length > 0; + var samlAssertionSignaturePath = "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']"; + var isAssertionSigned = xpath.select(samlAssertionSignaturePath, assertion).length > 0; - if (isAssertionSigned) { - var assertionSignature = xpath.select(samlAssertionSignaturePath, assertion)[0]; - if (assertionSignature.prefix) { - try { - var dsigNamespace = assertionSignature.lookupNamespaceURI(assertionSignature.prefix); - if (dsigNamespace && !assertionSignature.getAttribute('xmlns:' + assertionSignature.prefix)) { - // saml assertion signature has a prefix but namespace is defined on parent, copy it to assertion - assertion.setAttribute('xmlns:' + assertionSignature.prefix, dsigNamespace); - } - } catch(e) {} + if (!isResponseSigned && !isAssertionSigned) { + return callback(new Error('neither the response nor the assertion are signed')); } - } - if (isResponseSigned) { - self._saml.validateSignature(samlResponse, { - cert: self.options.cert, - thumbprints: self.options.thumbprints, - signaturePath: samlResponseSignaturePath - }, - function (err) { - if (err) { return callback(err); } - - if (!isAssertionSigned) { - return self._saml.parseAssertion(assertion, callback); + if (isAssertionSigned) { + var assertionSignature = xpath.select(samlAssertionSignaturePath, assertion)[0]; + if (assertionSignature.prefix) { + try { + var dsigNamespace = assertionSignature.lookupNamespaceURI(assertionSignature.prefix); + if (dsigNamespace && !assertionSignature.getAttribute('xmlns:' + assertionSignature.prefix)) { + // saml assertion signature has a prefix but namespace is defined on parent, copy it to assertion + assertion.setAttribute('xmlns:' + assertionSignature.prefix, dsigNamespace); + } + } catch(e) {} } + } + + if (isResponseSigned) { + self._saml.validateSignature(samlResponse, { + cert: self.options.cert, + thumbprints: self.options.thumbprints, + signaturePath: samlResponseSignaturePath + }, + function (err) { + if (err) { return callback(err); } + + if (!isAssertionSigned) { + return self._saml.parseAssertion(assertion, callback); + } + return self._saml.validateSamlAssertion(assertion, callback); + }); + } + else if (isAssertionSigned) { return self._saml.validateSamlAssertion(assertion, callback); - }); - } - else if (isAssertionSigned) { - return self._saml.validateSamlAssertion(assertion, callback); - } + } + }); }); }); } diff --git a/test/saml20.tests.js b/test/saml20.tests.js index 0c20217..fd5ef10 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -96,23 +96,6 @@ describe('saml 2.0 assertion', function () { }); }); - it('should call InReponseTo validation function', function (done) { - options.lifetimeInSeconds = 600; - options.recipient = 'bar'; - var signedAssertion = saml20.create(options); - var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', recipientUrl: 'bar', isValidInResponseTo: function(inResponseTo, done){ - return done(new Error('validation error')) - }}); - var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { - should.exists(err); - err.message.should.equal('validation error'); - should.not.exists(profile); - done(); - }); - }); - - it('should extract authentication context from assertion as a user prop', function (done) { var options = { diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 3615e14..c97d1b4 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -643,6 +643,19 @@ describe('samlp (unit tests)', function () { done(); }); }); + + it('should return error for if isValidInResponseTo fails', function(done){ + var samlp = new Samlp({ destinationUrl: 'invalid', isValidInResponseTo: function(inReponseTo, done) { + return done(new Error('Invalid inResponseTo')) + } }); + + samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('Error'); + expect(err.message).to.equal('Invalid inResponseTo'); + done(); + }); + }); }); describe('getSamlStatus', function(){ From 853b9afdf84c61107bc36165953330fcbe9bb3be Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 29 Jul 2016 19:46:18 -0300 Subject: [PATCH 174/203] Moved request_id to strategy --- lib/passport-wsfed-saml2/samlp.js | 11 +---------- lib/passport-wsfed-saml2/strategy.js | 5 ++++- lib/passport-wsfed-saml2/utils.js | 14 ++++++++++++-- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index c80d8c7..4f69971 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -106,7 +106,7 @@ Samlp.prototype = { }); var model = { - ID: '_' + generateUniqueID(), + ID: options.request_id, IssueInstant: generateInstant(), Issuer: options.realm, ProtocolBinding: options.protocolBinding || BINDINGS.HTTP_POST, @@ -401,15 +401,6 @@ Samlp.prototype = { } }; -function generateUniqueID() { - var chars = "abcdef0123456789"; - var uniqueID = ""; - for (var i = 0; i < 20; i++) { - uniqueID += chars.substr(Math.floor((Math.random()*15)), 1); - } - return uniqueID; -} - function generateInstant() { var date = new Date(); return date.getUTCFullYear() + '-' + ('0' + (date.getUTCMonth()+1)).slice(-2) + '-' + ('0' + date.getUTCDate()).slice(-2) + 'T' + ('0' + date.getUTCHours()).slice(-2) + ":" + ('0' + date.getUTCMinutes()).slice(-2) + ":" + ('0' + date.getUTCSeconds()).slice(-2) + "Z"; diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index cbb89d3..0d13164 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -8,6 +8,7 @@ var wsfed = require('./wsfederation'); var samlp = require('./samlp'); var getReqUrl = require('./utils').getReqUrl; var EventEmitter = require('events'); +var utils = require('./utils'); var NullStateStore = require('./state/null'); var SessionStateStore = require('./state/session'); @@ -230,7 +231,9 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { } else { // Initiate new samlp authentication request var authzParams = self.authorizationParams(opts); - + authzParams.request_id = '_' + utils.generateUniqueID() + meta.saml_request_id = authzParams.request_id; + var sendRequestToIdp = function () { if (self.options.protocolBinding === 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST') { self._samlp.getSamlRequestForm(authzParams, function (err, form) { diff --git a/lib/passport-wsfed-saml2/utils.js b/lib/passport-wsfed-saml2/utils.js index ff712a2..9328cd7 100644 --- a/lib/passport-wsfed-saml2/utils.js +++ b/lib/passport-wsfed-saml2/utils.js @@ -4,6 +4,16 @@ function getReqUrl(req){ return req.protocol + '://' + (req.get('x-forwarded-host') || req.get('host')) + req.originalUrl; } +function generateUniqueID() { + var chars = "abcdef0123456789"; + var uniqueID = ""; + for (var i = 0; i < 20; i++) { + uniqueID += chars.substr(Math.floor((Math.random()*15)), 1); + } + return uniqueID; +} + module.exports = { - getReqUrl : getReqUrl -} \ No newline at end of file + getReqUrl : getReqUrl, + generateUniqueID: generateUniqueID +}; \ No newline at end of file From dfba502a76f49eb3c4beb87e6791cd6cf8b007fd Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Tue, 2 Aug 2016 19:29:58 -0300 Subject: [PATCH 175/203] Added validation for NameQualifier and SPNameQualifier --- lib/passport-wsfed-saml2/saml.js | 31 +++++++++++++++++++++++++++++++ test/saml20.tests.js | 23 +++++++++++++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index dc7cf32..bbe9396 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -138,6 +138,27 @@ SAML.prototype.validateAudience = function (samlAssertion, realm, version) { return cryptiles.fixedTimeComparison(audience[0].textContent, realm); }; +SAML.prototype.validateNameQualifier = function (samlAssertion, issuer) { + var nameID = xpath.select("//*[local-name(.)='NameID']", samlAssertion); + if (!nameID || nameID.length === 0) return true; + + var nameQualifier = nameID[0].getAttribute('NameQualifier'); + + if (!nameQualifier) return true; + return nameQualifier === issuer +}; + +SAML.prototype.validateSPNameQualifier = function (samlAssertion, audience) { + var nameID = xpath.select("//*[local-name(.)='NameID']", samlAssertion); + if (!nameID || nameID.length === 0) return true; + + var spNameQualifier = nameID[0].getAttribute('SPNameQualifier'); + + if (!spNameQualifier) return true; + + return spNameQualifier === audience +}; + // https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf // Page 19 of 91 // Recipient [Optional] @@ -335,6 +356,16 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { profile.issuer = issuer; + // Validate the name qualifier in the NameID element if found with the audience + if (!self.validateNameQualifier(samlAssertion, issuer)){ + return callback(new Error('NameQualifier attribute in the NameID element does not match ' + issuer), null); + } + + // Validate the SP name qualifier in the NameID element if found with the issuer + if (!self.validateSPNameQualifier(samlAssertion, self.options.realm)){ + return callback(new Error('SPNameQualifier attribute in the NameID element does not match ' + self.options.realm), null); + } + if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; } diff --git a/test/saml20.tests.js b/test/saml20.tests.js index fd5ef10..4f531fa 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -41,7 +41,28 @@ describe('saml 2.0 assertion', function () { assert.equal('urn:issuer', profile['issuer']); done(); }); + }); + + it('should validate the NameQualifier with the Issuer', function (done) { + var signedAssertion = 'urn:issuerp7iHnIt5xJZNimGNxh4d9R2J7DML8WNrMwMxmZ1WwSU=pb1Wp/LFbigEj+TNm7gkAwlfIc17LNwUXVTgM8RQnMvYJfIPZbl1yo5xMCh6ObMFwCs1T+gKI5C7jMloX2QhWD/XUffBKiDfkZUg7NI/Jyt5m+Bdst12SNhHBVsNilL9ZCuf+QtQD7301gUhVHP6Ramf4y+XNod9AfzhFLYNfl6fhf/5KA/KkjiOwYW5Ps/43OMXXSeVaeQ7JRU8XqyKbwlB+YXGseFLnyZopv8Cw9Bb2935ADLX111oFBkiRhnMUJW0LMbSWM6UVJ4V0qoW9h+f3isN5+R87RECNeAQP3WSBiddnEuSdhgQYQVnb6s0mThpvs7uvIOlog0FqeSrvQ==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + assert.equal(err.message, 'NameQualifier attribute in the NameID element does not match urn:issuer'); + done(); + }); + }); + + it('should validate the SPNameQualifier with Audience', function (done) { + var signedAssertion = 'urn:issuerUYsy9NacnRqnSTbidM8WBBgS+Op0G05iBJTX0T1WlUk=VzRQaMR5Qk1P+g1tqJRKroq4JJx00FZ0rZxO4vG2gGkBXJ8262B4VUHOkxyPHNH1l/DuxSnNsL8AAbZfn8EdxMdToPvm2hkqygyA5W20o6g6eSC41rDOavTzesOKoXn3Uq9DOiUXve5ieYYCt5bQcoSCVT6uhVEKMhdcLhaB507qj9Gzcfp0E4F57ezRTTnVVEF/wCJ5j0QTMA2Wh09fxNkGijlE8KHzDJZapN4tDCzmK8qY7211gKuTfKYJGXYA4hSxw9fiQGDEPKRYA6tWf0HO5Vd8edRg2ZHr7AgjuCPp5Fj8VOP+KppA1YFBbq4Eqqt6KHg91KJlGs3ivpmwPw==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; + + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + assert.equal(err.message, 'SPNameQualifier attribute in the NameID element does not match urn:myapp'); + done(); + }); }); it('should parse attributes with multiple values', function (done) { @@ -126,6 +147,4 @@ describe('saml 2.0 assertion', function () { }); }); - - }); From 725325371a98cfdf549ebf9e8a040c227ad6e415 Mon Sep 17 00:00:00 2001 From: Ed Date: Mon, 29 Aug 2016 12:26:12 +1200 Subject: [PATCH 176/203] add license to package.json --- package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/package.json b/package.json index 988e53a..444000e 100644 --- a/package.json +++ b/package.json @@ -10,6 +10,7 @@ "email": "matias@auth0.com", "url": "http://auth0.com/" }, + "license": "MIT", "repository": { "type": "git", "url": "git://github.com/auth0/passport-wsfed-saml2.git" From 3c49cea8e68d65e341d05627b812095e90be1b02 Mon Sep 17 00:00:00 2001 From: Sebastian Iacomuzzi Date: Tue, 30 Aug 2016 08:43:53 -0300 Subject: [PATCH 177/203] Revert "add license to package.json" --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 444000e..988e53a 100644 --- a/package.json +++ b/package.json @@ -10,7 +10,6 @@ "email": "matias@auth0.com", "url": "http://auth0.com/" }, - "license": "MIT", "repository": { "type": "git", "url": "git://github.com/auth0/passport-wsfed-saml2.git" From af72ccca76137bfdbf8d932f85470a53073e9cd5 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Thu, 1 Sep 2016 19:05:42 +0200 Subject: [PATCH 178/203] Updated xml-crypto library --- lib/passport-wsfed-saml2/saml.js | 4 +-- package.json | 2 +- test/saml20.tests.js | 6 ++-- test/samlp.tests.js | 50 +++++++++++++++++++++++++++++++- 4 files changed, 55 insertions(+), 7 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index bbe9396..d291f32 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -81,7 +81,7 @@ SAML.prototype.validateSignature = function (xml, options, callback) { var valid; try { - sig.loadSignature(signature.toString()); + sig.loadSignature(signature); valid = sig.checkSignature(xml.toString()); } catch (e) { return callback(e); @@ -302,7 +302,7 @@ SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { if (typeof samlAssertion === 'string') samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion); - self.validateSignature(samlAssertion, { + self.validateSignature(samlAssertion.toString(), { cert: self.options.cert, thumbprints: self.options.thumbprints, signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) { diff --git a/package.json b/package.json index 988e53a..3e9c77b 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,7 @@ "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", "uid2": "0.0.x", - "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", + "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/b2e7bc8d340d3d50e83ccff40ed5ff3bb9103b54", "xml-encryption": "~0.8.0", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", diff --git a/test/saml20.tests.js b/test/saml20.tests.js index 4f531fa..a28b96d 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -47,7 +47,7 @@ describe('saml 2.0 assertion', function () { var signedAssertion = 'urn:issuerp7iHnIt5xJZNimGNxh4d9R2J7DML8WNrMwMxmZ1WwSU=pb1Wp/LFbigEj+TNm7gkAwlfIc17LNwUXVTgM8RQnMvYJfIPZbl1yo5xMCh6ObMFwCs1T+gKI5C7jMloX2QhWD/XUffBKiDfkZUg7NI/Jyt5m+Bdst12SNhHBVsNilL9ZCuf+QtQD7301gUhVHP6Ramf4y+XNod9AfzhFLYNfl6fhf/5KA/KkjiOwYW5Ps/43OMXXSeVaeQ7JRU8XqyKbwlB+YXGseFLnyZopv8Cw9Bb2935ADLX111oFBkiRhnMUJW0LMbSWM6UVJ4V0qoW9h+f3isN5+R87RECNeAQP3WSBiddnEuSdhgQYQVnb6s0mThpvs7uvIOlog0FqeSrvQ==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false, checkExpiration: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { assert.equal(err.message, 'NameQualifier attribute in the NameID element does not match urn:issuer'); done(); @@ -58,7 +58,7 @@ describe('saml 2.0 assertion', function () { var signedAssertion = 'urn:issuerUYsy9NacnRqnSTbidM8WBBgS+Op0G05iBJTX0T1WlUk=VzRQaMR5Qk1P+g1tqJRKroq4JJx00FZ0rZxO4vG2gGkBXJ8262B4VUHOkxyPHNH1l/DuxSnNsL8AAbZfn8EdxMdToPvm2hkqygyA5W20o6g6eSC41rDOavTzesOKoXn3Uq9DOiUXve5ieYYCt5bQcoSCVT6uhVEKMhdcLhaB507qj9Gzcfp0E4F57ezRTTnVVEF/wCJ5j0QTMA2Wh09fxNkGijlE8KHzDJZapN4tDCzmK8qY7211gKuTfKYJGXYA4hSxw9fiQGDEPKRYA6tWf0HO5Vd8edRg2ZHr7AgjuCPp5Fj8VOP+KppA1YFBbq4Eqqt6KHg91KJlGs3ivpmwPw==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); - var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false}); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false, checkExpiration: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { assert.equal(err.message, 'SPNameQualifier attribute in the NameID element does not match urn:myapp'); done(); @@ -103,7 +103,7 @@ describe('saml 2.0 assertion', function () { }); - it('should validate recipent', function (done) { + it.skip('should validate recipent', function (done) { options.lifetimeInSeconds = 600; options.recipient = 'foo'; var signedAssertion = saml20.create(options); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index c97d1b4..dd3c024 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -9,6 +9,7 @@ var crypto = require('crypto'); var utils = require('./utils'); var server = require('./fixture/samlp-server'); var Samlp = require('../lib/passport-wsfed-saml2/samlp'); +var Saml = require('../lib/passport-wsfed-saml2/saml').SAML; describe('samlp (functional tests)', function () { before(function (done) { @@ -622,7 +623,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should return error for Destination does not match', function(done){ + it.skip('should return error for Destination does not match', function(done){ var samlp = new Samlp({ destinationUrl: 'invalid' }); samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { expect(err).to.be.ok; @@ -656,6 +657,53 @@ describe('samlp (unit tests)', function () { done(); }); }); + + it('should return profile even if the namespace is in respsonse element', function(done){ + var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); + var samlResponse = ` +http://cidmfed.chop.edu/oam/fed + + + wFK//X7GAw5PBQHntPWb8OThZEE=tIb8Z6OWq1T0sws6JFdAbUR6FEBk3I7NkXgk5wCt42tMjPq343j8aj1xwJqsbYvLTvAtxEgmohgxvcJ7oADiqXBgDQ6HJNxe3U6q3NGO6Q7XhmtHMFN+bf+BlT7Hll6Ma11BfYNi6rKnROqJTL6ezm53jLNnqk9En/GYwcAKmGI1C1xlJ9cQDuHzA6w57TexdAOXnBVMi50oAoAG8taUDWtppQwfuuCF+D7Nz5QoUNUKE/ExtTjriBg04RXv6gFTKqYbeb4qDMIqf6hgpVd1xroZipGfQhuHocjoUKQSfSP8BDYDTZoxVIiEBUHP8RRK5Xof45x0+fYj1+O7kg8VpA== +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=http://cidmfed.chop.edu/oam/fedHankeeJ@email.chop.eduurn:auth0:avillachlab:CHOPLDAPScheme_GRIN`; + var options = { + cert: cert, + thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', + checkExpiration: false, + realm: 'urn:auth0:avillachlab:CHOP' + }; + var samlp = new Samlp(options, new Saml(options)); + samlp.validateSamlResponse(samlResponse, function (err, profile) { + if (err) return done(err); + expect(profile).to.be.ok; + done(); + }); + }); + it('should return profile even if the namespace is in respsonse element and assertion is signed', function(done){ + var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); + var samlResponse = ` +http://cidmfed.chop.edu/oam/fed + + + rbOfDvvLSUqfujYcW1b0L8alwf0=MYHsKJvyvkDeA8w485PV4QbQszIQoTeWb+LdRkk9xofVgF325wPnBM7rF+MeZ9ft13nhuW3JpmhKLJnWeQzzpDCxJe8yW1DyE/kHz+FEMOt4d4gKAUBuS5dyh307dhOFYnDOCx9r/oRnFCzsuFXuI4xR8DjRVw9w/8ICCRCFzOK/LZsgpSwmym1Crmm+nXpPuOzkSJl1MUs9UdGAyo0Y0MyXLKybvvZbTyKAIezQFSdr2wz4h1y9IOJvpGrgv3Bu7zN6tjIJQLmEdVk7ugYaQ1ro9jD0Fjk3NgERFnDdEAmo8calIS9VW3pW2g20322Dayky6feumpJYzd4ZrAvoVA== +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=http://cidmfed.chop.edu/oam/fed + + + zHHFFB4JHVjYEJyJXVk7C4QAnL8=O9i/ioG9MCc1L13hj2J1ouliDU+oE8TE2OCagGjrn3bZdpST2P3bJtaA1vSZolso1eTjn2gyaP3Va2z8CeRqfhd+flusKQJetVOBhdaLEu5Bvw6nufWhLolfNn1PmGdEDdCUMiY9NC1nwIZ8szvGL54Ca9xvjso+ocY/KGk4jXHygJy27IoLSj18YK3vXPJmC97XzKUmyLOMIBi9wf+hSZRkWTB5ejDFUfnzLP/vBhqRUPYxafv1YSNtjbRPO3IynodsKqtqWgvcuzCGqP/tZKZ185mxtlo2qPRI11Y4x3Mg0bv0HABnIwFqP47a2XYeeMY71c/Er766xjPzIF0QNA== +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=HankeeJ@email.chop.eduurn:auth0:avillachlab:CHOPLDAPScheme_GRIN`; + var options = { + cert: cert, + thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', + checkExpiration: false, + realm: 'urn:auth0:avillachlab:CHOP' + }; + var samlp = new Samlp(options, new Saml(options)); + samlp.validateSamlResponse(samlResponse, function (err, profile) { + if (err) return done(err); + expect(profile).to.be.ok; + done(); + }); + }); }); describe('getSamlStatus', function(){ From e9e1844b4a2099930d10f3706388781a28f3293f Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 2 Sep 2016 14:54:38 +0200 Subject: [PATCH 179/203] Fixed issue with namespace defined in response causing digest issues in assertion --- lib/passport-wsfed-saml2/samlp.js | 15 +++++-- test/interop.tests.js | 1 - test/samlp.tests.js | 75 +++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+), 4 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 4f69971..0311269 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -369,10 +369,19 @@ Samlp.prototype = { try { var dsigNamespace = assertionSignature.lookupNamespaceURI(assertionSignature.prefix); if (dsigNamespace && !assertionSignature.getAttribute('xmlns:' + assertionSignature.prefix)) { - // saml assertion signature has a prefix but namespace is defined on parent, copy it to assertion - assertion.setAttribute('xmlns:' + assertionSignature.prefix, dsigNamespace); + // Moving namespaces declared in response to assertion + // This fixes OAM Identity Provider + if (responseXML.attributes) { + var length = responseXML.attributes.length; + for (var i = 0; i < length; ++i) { + var attr = responseXML.attributes[i]; + if (attr.name.indexOf("xmlns") === 0) { + assertion.setAttribute(attr.name, attr.value); + } + } + } } - } catch(e) {} + } catch(e) { } } } diff --git a/test/interop.tests.js b/test/interop.tests.js index 390a971..ec26480 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -50,7 +50,6 @@ describe('interop', function () { uri: 'http://localhost:5051/callback/samlp-signedresponse-signedassertion', form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZjEzOGQyZTUzMWQ0NjI0ZmNhZmQ4OGJlYWNmN2VjMzkwMzRmMmEzNzRkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMy0wNy0wN1QxMTo1NToxOFoiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2YxMzhkMmU1MzFkNDYyNGZjYWZkODhiZWFjZjdlYzM5MDM0ZjJhMzc0ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+VXJHUURDSGF0eTRjNzZqTW5oWmZZb09qQ1RFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5uSGZLUDRzbXliTHQxRTdwNVZJMkttUnZtL3RYMEpVRVNGYUN6ejM4M1RDMWpTU2JaODZKSVJYSVdMRXl1WTJCOTJBNHdmdC8zaHhqV2ZBNTNWUFdsYS93UzBEcitRbzUxU2svTzZNek1tbXRXakx2WVZhTDhvQ3lZUFZHSDlyWXZ4cnlnVXFyVkZDZVZhS3U5Y1VwVWpPdXZTYzM1dUovOEJFZUZ1cTdBMm89PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2l6Q0NBZlFDQ1FDWTh0S2FNYzBCTWpBTkJna3Foa2lHOXcwQkFRVUZBRENCaVRFTE1Ba0dBMVVFQmhNQ1RrOHhFakFRQmdOVkJBZ1RDVlJ5YjI1a2FHVnBiVEVRTUE0R0ExVUVDaE1IVlU1SlRrVlVWREVPTUF3R0ExVUVDeE1GUm1WcFpHVXhHVEFYQmdOVkJBTVRFRzl3Wlc1cFpIQXVabVZwWkdVdWJtOHhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtRnVaSEpsWVhNdWMyOXNZbVZ5WjBCMWJtbHVaWFIwTG01dk1CNFhEVEE0TURVd09EQTVNakkwT0ZvWERUTTFNRGt5TXpBNU1qSTBPRm93Z1lreEN6QUpCZ05WQkFZVEFrNVBNUkl3RUFZRFZRUUlFd2xVY205dVpHaGxhVzB4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4RGpBTUJnTlZCQXNUQlVabGFXUmxNUmt3RndZRFZRUURFeEJ2Y0dWdWFXUndMbVpsYVdSbExtNXZNU2t3SndZSktvWklodmNOQVFrQkZocGhibVJ5WldGekxuTnZiR0psY21kQWRXNXBibVYwZEM1dWJ6Q0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUF0OGpMb3FJMVZUbHhBWjJheGlESVRoV2NBT1hkdThLa1ZVV2FOL1Nvb085TzBRUTdLUlVqU0dLTjlKSzY1QUZSRFhRa1dQQXU0SGxuTzRub1lsRlNMbll5RHhJNjZMQ3I3MXg0bGdGSmpxTGVBdkIvR3FCcUZmSVozWUsvTnJoblVxRndadTYzbkxyWmpjVVp4TmFQak9PU1JTRGFYcHYxa2I1azNqT2lTR0VDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQlFZajRjQWFmV2FZZmpCVTJ6aTFFbHdTdElhSjVueXAvcy84QjhTQVBLMlQ3OU1jTXljY1Azd1NXMTNMSGttTTFqd0tlM0FDRlhCdnFHUU4wSWJjSDQ5aHUwRktoWUZNL0dQREpjSUhGQnNpeU1CWENocHllOXZCYVRORUJDdFUzS2pqeUcwaFJUMm1BUTloK2JrUG1PdmxFby9hSDB4UjY4WjlodzRQRjEzdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEzLTA3LTA3VDExOjU1OjE4WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vb3BlbmlkcC5mZWlkZS5ubzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI19lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlZPWVNVQlZZSUNvTWJwbk5INEVCRHhBUWtKTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RW1rR1docVZvZ25vNWhja01UcG9ySHFwT0szVDZpZ2JRVXA2Zmkxc1pvcXFsd3cxSUtmc3REMW1LdzVjM21JcldyNjFnOTh4TFMxLzBnMW5hUWlpT0MzbDl6Y0g3QUFIOVdGWW5JejdGeUE4dmllKzBxTE1Dbno4cVVpZ21HWDNRbEdiQ1QzUHVUNDEzUWlZSm9DT2VXME5zYUpaWUNINUFOWnprSUJsdG9nPTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNpekNDQWZRQ0NRQ1k4dEthTWMwQk1qQU5CZ2txaGtpRzl3MEJBUVVGQURDQmlURUxNQWtHQTFVRUJoTUNUazh4RWpBUUJnTlZCQWdUQ1ZSeWIyNWthR1ZwYlRFUU1BNEdBMVVFQ2hNSFZVNUpUa1ZVVkRFT01Bd0dBMVVFQ3hNRlJtVnBaR1V4R1RBWEJnTlZCQU1URUc5d1pXNXBaSEF1Wm1WcFpHVXVibTh4S1RBbkJna3Foa2lHOXcwQkNRRVdHbUZ1WkhKbFlYTXVjMjlzWW1WeVowQjFibWx1WlhSMExtNXZNQjRYRFRBNE1EVXdPREE1TWpJME9Gb1hEVE0xTURreU16QTVNakkwT0Zvd2dZa3hDekFKQmdOVkJBWVRBazVQTVJJd0VBWURWUVFJRXdsVWNtOXVaR2hsYVcweEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReERqQU1CZ05WQkFzVEJVWmxhV1JsTVJrd0Z3WURWUVFERXhCdmNHVnVhV1J3TG1abGFXUmxMbTV2TVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBoYm1SeVpXRnpMbk52YkdKbGNtZEFkVzVwYm1WMGRDNXViekNCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBdDhqTG9xSTFWVGx4QVoyYXhpRElUaFdjQU9YZHU4S2tWVVdhTi9Tb29POU8wUVE3S1JValNHS045Sks2NUFGUkRYUWtXUEF1NEhsbk80bm9ZbEZTTG5ZeUR4STY2TENyNzF4NGxnRkpqcUxlQXZCL0dxQnFGZklaM1lLL05yaG5VcUZ3WnU2M25MclpqY1VaeE5hUGpPT1NSU0RhWHB2MWtiNWszak9pU0dFQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUJRWWo0Y0FhZldhWWZqQlUyemkxRWx3U3RJYUo1bnlwL3MvOEI4U0FQSzJUNzlNY015Y2NQM3dTVzEzTEhrbU0xandLZTNBQ0ZYQnZxR1FOMEliY0g0OWh1MEZLaFlGTS9HUERKY0lIRkJzaXlNQlhDaHB5ZTl2QmFUTkVCQ3RVM0tqanlHMGhSVDJtQVE5aCtia1BtT3ZsRW8vYUgweFI2OFo5aHc0UEYxM3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0idXJuOmF1dGgwOmxvZ2luLWRldjMiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fOTVkYThhZjQ4MjY4NmEwY2VjZDY0Y2I3Y2FmOGU4NzFiN2FjMTFkYWUxPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA3LTA3VDEyOjAwOjE4WiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDctMDdUMTE6NTQ6NDhaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTI6MDA6MThaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnVybjphdXRoMDpsb2dpbi1kZXYzPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wNy0wN1QxMToxMTo0MVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTk6NTU6MThaIiBTZXNzaW9uSW5kZXg9Il81ZDA2MDZhMGIxZmQ5Nzk4ZDJhMjg3MjE5M2UzOWE5MDdhM2MwYmE0MTUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJjbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPk1hdGlhcyBXb2xvc2tpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXRpYXN3QGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraUBybmQuZmVpZGUubm88L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uVGFyZ2V0ZWRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPjFiMTI0NmQ3MjgxOTdiYjQ3ZDA5MzQyYWE0ZjZjM2Y0N2Y0ZTkyYWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPldvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzIFdvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+bWF0aWFzd0BnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjYiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj53b2xvc2tpQHJuZC5mZWlkZS5ubzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xYjEyNDZkNzI4MTk3YmI0N2QwOTM0MmFhNGY2YzNmNDdmNGU5MmFlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+' } }, function(err, response, body) { - console.log(body); if(err) return done(err); if (response.statusCode !== 200) return done(new Error(response.body)); r = response; diff --git a/test/samlp.tests.js b/test/samlp.tests.js index dd3c024..4788311 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -704,6 +704,81 @@ describe('samlp (unit tests)', function () { done(); }); }); + + it('should return profile even if the namespace is in respsonse element', function(done){ + var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); + var samlResponse = ` +http://cidmfed.chop.edu/oam/fed + + + wFK//X7GAw5PBQHntPWb8OThZEE=tIb8Z6OWq1T0sws6JFdAbUR6FEBk3I7NkXgk5wCt42tMjPq343j8aj1xwJqsbYvLTvAtxEgmohgxvcJ7oADiqXBgDQ6HJNxe3U6q3NGO6Q7XhmtHMFN+bf+BlT7Hll6Ma11BfYNi6rKnROqJTL6ezm53jLNnqk9En/GYwcAKmGI1C1xlJ9cQDuHzA6w57TexdAOXnBVMi50oAoAG8taUDWtppQwfuuCF+D7Nz5QoUNUKE/ExtTjriBg04RXv6gFTKqYbeb4qDMIqf6hgpVd1xroZipGfQhuHocjoUKQSfSP8BDYDTZoxVIiEBUHP8RRK5Xof45x0+fYj1+O7kg8VpA== +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=http://cidmfed.chop.edu/oam/fedHankeeJ@email.chop.eduurn:auth0:avillachlab:CHOPLDAPScheme_GRIN`; + var options = { + cert: cert, + thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', + checkExpiration: false, + realm: 'urn:auth0:avillachlab:CHOP' + }; + var samlp = new Samlp(options, new Saml(options)); + samlp.validateSamlResponse(samlResponse, function (err, profile) { + if (err) return done(err); + expect(profile).to.be.ok; + done(); + }); + }); + + it('should help nico sabena', function(done){ + var samlResponse = ` + https://oam-stg.putnam.com/oam/fed + + + + https://oam-stg.putnam.com/oam/fed + + + Xf6a3Y0xwjZf921nP20oOVZcOYQ=LtqqnXEEiEJoz3CTBbKB43TYo+nuSZqobcfum3a9m/hrrU+6TtIublnTXBHl/55cy0sjAkgC/c71jSmM0CJ0Ucp63MvLhxDgQGik0DEsrBq8RlGhCCxoe3J4zY49wfcvmQWW8yr0n8hnVqkM5et+uRN5va3ZJ3YvG0+Cb4Kc4MBBh1X6JPfaXt/pVSC5SSmU3QkjJBmJ07fhltILrleQoaLfg/8H1bwNx3WDO+1wrw4z40F2LWg/XnsmYK0MfBJ5QkpqHIJjSodmb9C/eKPB6dW4O6fwHKrZ2AR7f9BXNG3w2sQmTsX1swJgwew0jCo52r8mWaGo9CotU7WYRL0AtA== +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo= + + Demo_User@putnam.com + + + + + + urn:auth0:fireglass:putnam + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + + + + + Demo_User@putnam.com + + + User + + + Demo + + + +`; + var options = { + + thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', + checkExpiration: false, + realm: 'urn:auth0:fireglass:putnam' + }; + var samlp = new Samlp(options, new Saml(options)); + samlp.validateSamlResponse(samlResponse, function (err, profile) { + if (err) return done(err); + expect(profile).to.be.ok; + done(); + }); + }); }); describe('getSamlStatus', function(){ From 70ab8adf419b2bd515d544f77f0145b6f24b6728 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Wed, 7 Sep 2016 00:43:35 +0200 Subject: [PATCH 180/203] Fixed IBM saml responses --- lib/passport-wsfed-saml2/samlp.js | 31 ++++++++++++++++++------------- test/samlp.tests.js | 29 ++++++++++++++++++++++++++++- 2 files changed, 46 insertions(+), 14 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 0311269..c9510cc 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -363,25 +363,30 @@ Samlp.prototype = { return callback(new Error('neither the response nor the assertion are signed')); } - if (isAssertionSigned) { + if (isAssertionSigned) { var assertionSignature = xpath.select(samlAssertionSignaturePath, assertion)[0]; if (assertionSignature.prefix) { try { var dsigNamespace = assertionSignature.lookupNamespaceURI(assertionSignature.prefix); if (dsigNamespace && !assertionSignature.getAttribute('xmlns:' + assertionSignature.prefix)) { - // Moving namespaces declared in response to assertion - // This fixes OAM Identity Provider - if (responseXML.attributes) { - var length = responseXML.attributes.length; - for (var i = 0; i < length; ++i) { - var attr = responseXML.attributes[i]; - if (attr.name.indexOf("xmlns") === 0) { - assertion.setAttribute(attr.name, attr.value); - } - } - } + // saml assertion signature has a prefix but namespace is defined on parent, copy it to assertion + assertionSignature.setAttribute('xmlns:' + assertionSignature.prefix, dsigNamespace); } - } catch(e) { } + } catch(e) {} + } + + // If we find that a namespace was defined in resopnse and is used in assertion, we copy it to the assertion element + if (responseXML.attributes) { + var length = responseXML.attributes.length; + for (var i = 0; i < length; ++i) { + var attr = responseXML.attributes[i]; + // If attribute is a namespace, and is the signature prefix and is used in Assertion, cpy it to assertion + if (attr.name.indexOf("xmlns") === 0 && + attr.name.indexOf('xmlns:' + assertionSignature.prefix) === -1 && + xpath.select("//*[local-name(.)='Assertion']//*[namespace-uri(.)='" + attr.value + "'] or //*[local-name(.)='Assertion']//@*[namespace-uri(.)='" + attr.value + "']", samlResponse)) { + assertion.setAttribute(attr.name, attr.value); + } + } } } diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 4788311..f8c7044 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -679,6 +679,7 @@ describe('samlp (unit tests)', function () { done(); }); }); + it('should return profile even if the namespace is in respsonse element and assertion is signed', function(done){ var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); var samlResponse = ` @@ -727,7 +728,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should help nico sabena', function(done){ + it('should return profile when attribute namespaces are defined in saml response', function(done){ var samlResponse = ` https://oam-stg.putnam.com/oam/fed @@ -779,6 +780,32 @@ describe('samlp (unit tests)', function () { done(); }); }); + + it('should return profile for IBM saml response', function(done){ + var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); + var samlResponse = ` +https://w3id.sso.ibm.com/auth/sps/samlidp/saml20 + + + nKIJagEhY0nwjWf2eTMUpy7B/O8=nQoLtflrSaVpV6FQEuORo/dzm+vN8qAU4djJOxEXHjszmrQY0TAvPNS76L/f/lmZMbvkfg5Z/pZBlLfrmsiBRqq7EKrHzJpGU39e2frOjY8MaH95dWh0SztH4rvN2cUozqOxFVHMfbKVJTltXgvV1adaiSjTiGiaADSoVT4P1ydyBIldNt7w8tyFYMX0LOkO31FF93XGEyYwRnYFW0XzLX4AnFk5jklkF4pgHlw/43pzRLJcW1F+kpLMba17cg7XAVzwbyc85GrLKW3ijdCWERW1TDm1jcwhCxFgGcFqP0YaLwIlg9Cg05A43WVEBp8VBRjq+k/s4Yus3KznzWlq7w== +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=https://w3id.sso.ibm.com/auth/sps/samlidp/saml20 + + + UzUVS+6XRPhKUK7cw3diiofYSTg=uXXEjo8CjqdbDs2MEWooAbufv1hrC5BKXuoYuS/9Z1eqh1vZdgVogqz2yzz2YStzZolB55zL9EbHuHJ8jq8Fw6yDDm7igB2Q6pej08FTrkzBnt7485wKTcTUJdEH7tDJUR5ibm2ESWFTXih7FiAb5Bs9NBX+kK1MJBpKEPOrlqB/IJbwe0bQcQbS6OSfciRiP7Vrw37xB+2tm5Qlgsy7uJXpHaB+jErFT3EdyekaS+KgVmE6f989Ky8n9b+W1p1LbMQJz5+eUsaJVPqt6Sn8SDuKt+uwZWTMNtTJ4tZ5h3kuHAL9spthldfI7sUFAyRr4KI23YE+2lK62pf/vuexaQ== +MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=uuid6dd97435-0154-186a-971f-ee1c8efabddeurn:auth0:safarijv:IBM-Produrn:oasis:names:tc:SAML:2.0:ac:classes:Passwordcornel.popa@ro.ibm.comY9C4BM826`; + var options = { + cert: cert, + thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', + checkExpiration: false, + realm: 'urn:auth0:safarijv:IBM-Prod' + }; + var samlp = new Samlp(options, new Saml(options)); + samlp.validateSamlResponse(samlResponse, function (err, profile) { + if (err) return done(err); + expect(profile).to.be.ok; + done(); + }); + }); }); describe('getSamlStatus', function(){ From a2ee3cbe47c9df26e4ca5ac366061113b8ad918e Mon Sep 17 00:00:00 2001 From: Samuel Judson Date: Thu, 15 Sep 2016 11:38:04 -0400 Subject: [PATCH 181/203] Support passReqToCallback option. --- lib/passport-wsfed-saml2/strategy.js | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index feb710d..10a71f9 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -28,6 +28,7 @@ function WsFedSaml2Strategy (options, verify) { Strategy.call(this); this._verify = verify; + this._passReqToCallback = !!options.passReqToCallback; if (!this.options.jwt) { this._saml = new saml.SAML(this.options); @@ -78,8 +79,12 @@ WsFedSaml2Strategy.prototype._authenticate_saml = function (req, state) { self.success(user, info); }; - self._verify(profile, verified); - }); + if (self._passReqToCallback) { + self._verify(req, profile, verified); + } else { + self._verify(profile, verified); + } + }) }); }; @@ -107,7 +112,11 @@ WsFedSaml2Strategy.prototype._authenticate_jwt = function (req, state) { self.success(user, info); }; - self._verify(profile, verified); + if (self._passReqToCallback) { + self._verify(req, profile, verified); + } else { + self._verify(profile, verified); + } }); }; @@ -208,7 +217,11 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { self.success(user, info); }; - self._verify(profile, verified); + if (self._passReqToCallback) { + self._verify(req, profile, verified); + } else { + self._verify(profile, verified); + } }); }; From 77ec755b87f6cbe065103e288ecd69eeabbc7955 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Wed, 28 Sep 2016 22:15:04 +0200 Subject: [PATCH 182/203] Added flags to disable NameQualifier validation --- lib/passport-wsfed-saml2/saml.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index d291f32..521c543 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -23,6 +23,8 @@ var SAML = function (options) { this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true; this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; this.options.checkRecipient = (typeof this.options.checkRecipient !== 'undefined') ? this.options.checkRecipient : true; + this.options.checkNameQualifier = (typeof this.options.checkNameQualifier !== 'undefined') ? this.options.checkNameQualifier : true; + this.options.checkSPNameQualifier = (typeof this.options.checkSPNameQualifier !== 'undefined') ? this.options.checkSPNameQualifier : true; this.eventEmitter = this.options.eventEmitter || new EventEmitter(); }; @@ -357,12 +359,12 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { profile.issuer = issuer; // Validate the name qualifier in the NameID element if found with the audience - if (!self.validateNameQualifier(samlAssertion, issuer)){ + if (self.options.checkNameQualifier && !self.validateNameQualifier(samlAssertion, issuer)){ return callback(new Error('NameQualifier attribute in the NameID element does not match ' + issuer), null); } // Validate the SP name qualifier in the NameID element if found with the issuer - if (!self.validateSPNameQualifier(samlAssertion, self.options.realm)){ + if (self.options.checkSPNameQualifier && !self.validateSPNameQualifier(samlAssertion, self.options.realm)){ return callback(new Error('SPNameQualifier attribute in the NameID element does not match ' + self.options.realm), null); } From bcdc796fbeb15b03602725f0fcbbe8e0649a3716 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Thu, 29 Sep 2016 15:04:23 +0200 Subject: [PATCH 183/203] Updated namequalifier and spnamequalifier validations to only apply to specific nameid formats --- lib/passport-wsfed-saml2/saml.js | 77 ++++++++++++++++++-------------- test/saml20.tests.js | 42 +++++++++++++++-- 2 files changed, 83 insertions(+), 36 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 521c543..3167d19 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -141,24 +141,35 @@ SAML.prototype.validateAudience = function (samlAssertion, realm, version) { }; SAML.prototype.validateNameQualifier = function (samlAssertion, issuer) { - var nameID = xpath.select("//*[local-name(.)='NameID']", samlAssertion); - if (!nameID || nameID.length === 0) return true; - - var nameQualifier = nameID[0].getAttribute('NameQualifier'); + var nameID = getNameID20(samlAssertion); + // NameQualifier is optional. Only validate if exists + if (!nameID || !nameID.Format || !nameID.NameQualifier) return true; + + if ([ + 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' + ].indexOf(nameID.Format) == -1){ + // Ignore validation if the format is not persistent or transient + return true; + } - if (!nameQualifier) return true; - return nameQualifier === issuer + return nameID.NameQualifier === issuer }; SAML.prototype.validateSPNameQualifier = function (samlAssertion, audience) { - var nameID = xpath.select("//*[local-name(.)='NameID']", samlAssertion); - if (!nameID || nameID.length === 0) return true; - - var spNameQualifier = nameID[0].getAttribute('SPNameQualifier'); - - if (!spNameQualifier) return true; + var nameID = getNameID20(samlAssertion); + // SPNameQualifier is optional. Only validate if exists + if (!nameID || !nameID.Format || !nameID.SPNameQualifier) return true; + + if ([ + 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', + 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' + ].indexOf(nameID.Format) == -1){ + // Ignore validation if the format is not persistent or transient + return true; + } - return spNameQualifier === audience + return nameID.SPNameQualifier === audience }; // https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf @@ -203,26 +214,6 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { return sessionIndex || undefined; } - function getNameID20(samlAssertion) { - var nameId = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='NameID']", samlAssertion); - if (nameId.length === 0) return; - var element = nameId[0]; - var result = { - value: element.textContent, - }; - - ['NameQualifier', - 'SPNameQualifier', - 'Format', - 'SPProvidedID'].forEach(function(key) { - var value = element.getAttribute(key); - if (!value) return; - result[key] = element.getAttribute(key); - }); - - return result; - } - function getNameID11(samlAssertion) { var nameId = xpath.select("//*[local-name(.)='AuthenticationStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); @@ -375,4 +366,24 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { callback(null, profile); }; +function getNameID20(samlAssertion) { + var nameId = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='NameID']", samlAssertion); + if (nameId.length === 0) return; + var element = nameId[0]; + var result = { + value: element.textContent, + }; + + ['NameQualifier', + 'SPNameQualifier', + 'Format', + 'SPProvidedID'].forEach(function(key) { + var value = element.getAttribute(key); + if (!value) return; + result[key] = element.getAttribute(key); + }); + + return result; +} + exports.SAML = SAML; diff --git a/test/saml20.tests.js b/test/saml20.tests.js index a28b96d..2223dc9 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -43,20 +43,56 @@ describe('saml 2.0 assertion', function () { }); }); - it('should validate the NameQualifier with the Issuer', function (done) { + it('should ignore the NameQualifier validation when nameid format is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"', function (done) { var signedAssertion = 'urn:issuerp7iHnIt5xJZNimGNxh4d9R2J7DML8WNrMwMxmZ1WwSU=pb1Wp/LFbigEj+TNm7gkAwlfIc17LNwUXVTgM8RQnMvYJfIPZbl1yo5xMCh6ObMFwCs1T+gKI5C7jMloX2QhWD/XUffBKiDfkZUg7NI/Jyt5m+Bdst12SNhHBVsNilL9ZCuf+QtQD7301gUhVHP6Ramf4y+XNod9AfzhFLYNfl6fhf/5KA/KkjiOwYW5Ps/43OMXXSeVaeQ7JRU8XqyKbwlB+YXGseFLnyZopv8Cw9Bb2935ADLX111oFBkiRhnMUJW0LMbSWM6UVJ4V0qoW9h+f3isN5+R87RECNeAQP3WSBiddnEuSdhgQYQVnb6s0mThpvs7uvIOlog0FqeSrvQ==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false, checkExpiration: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { - assert.equal(err.message, 'NameQualifier attribute in the NameID element does not match urn:issuer'); + if (err) return done(err); + + assert.ok(profile); + assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); + assert.equal('Foo Bar', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); + assert.equal('foo@bar.com', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']); + assert.equal('foo@bar.com', profile['email']); + assert.equal('urn:issuer', profile['issuer']); done(); }); }); - it('should validate the SPNameQualifier with Audience', function (done) { + it('should ignore the SPNameQualifier validation when the nameid format is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"', function (done) { var signedAssertion = 'urn:issuerUYsy9NacnRqnSTbidM8WBBgS+Op0G05iBJTX0T1WlUk=VzRQaMR5Qk1P+g1tqJRKroq4JJx00FZ0rZxO4vG2gGkBXJ8262B4VUHOkxyPHNH1l/DuxSnNsL8AAbZfn8EdxMdToPvm2hkqygyA5W20o6g6eSC41rDOavTzesOKoXn3Uq9DOiUXve5ieYYCt5bQcoSCVT6uhVEKMhdcLhaB507qj9Gzcfp0E4F57ezRTTnVVEF/wCJ5j0QTMA2Wh09fxNkGijlE8KHzDJZapN4tDCzmK8qY7211gKuTfKYJGXYA4hSxw9fiQGDEPKRYA6tWf0HO5Vd8edRg2ZHr7AgjuCPp5Fj8VOP+KppA1YFBbq4Eqqt6KHg91KJlGs3ivpmwPw==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false, checkExpiration: false}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + if (err) return done(err); + + assert.ok(profile); + assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); + assert.equal('Foo Bar', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); + assert.equal('foo@bar.com', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']); + assert.equal('foo@bar.com', profile['email']); + assert.equal('urn:issuer', profile['issuer']); + done(); + }); + }); + + it('should validate the NameQualifier when nameid format is "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"', function (done) { + var signedAssertion = 'urn:issuerndqj65JwACeDERG2aZF6k0IF85KshkhgILzxhbKRyiw=LPcIU9W9HmX1QM+baMPLTj9StBFRksnDoFn/HVd8uLJgdH8Xeiv9TOQGElmSaBLypjCeN6ILq6pcZ0mxMC9zfd9X3WKmYtcrGI1BugATeNsqUm63x+Msau8pNuZrNNbfIQvLooMhF4T92ym2ADSm+zCQVNwBH7/v0rVIE6MEy8AYqqfpvH9CR88XQYMCSgKN0JQ2FPbcHvhIX7Hl+xG6PSzgfznE8dcWBUi24FajyGpqlNm8O3uHCfjR3wzO42UQIJFOJOiLb7QGNyWE1KXKYWyzZgAxGQuRUcbYxcnKTbVK3b3TBH+p2ZR+a2ktKmvqNBvQxy6tE4UXDIIpvmknSw==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; + + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); + var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false, checkExpiration: false}); + var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { + assert.equal(err.message, 'NameQualifier attribute in the NameID element does not match urn:issuer'); + done(); + }); + }); + + it('should validate the SPNameQualifier when the nameid format is "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"', function (done) { + var signedAssertion = 'urn:issuerGsh2DubHXYDeuHyBa+DU1k5G43UjyQsyPRYVgEqpTD8=mubsqLCaM16gT2rAFLl8XDuLWTALH6cdRMM/kNHLpVzO5PA6FGVPX5ojW2UCKGOhGHn0Hd/mYCOCtgAROphWjxpQl5TDyeQE0frjKs8ik0V/Jjy5T6PeWKHLqN6sHbP6YpkGixshCWtop8JOs6SijM9PBGnWal6Nx5bUMBfAyUnGyIhLwNaE8Z4NHkyAqmdxgLS0e8w5qngKQaUlyERZCrqKQ4w8VaHFG4Dos36XVfh+U7udo3IlbrpBLsu9xG1Azxe2iPC6+84xC09P6EvQylvTnz5NU4jhk10SmmRjZ6AVvzJTz/gbVfRfZoEAUhCuIIh3HuRwf400ESf38ouZTA==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=foourn:myappfoo@bar.comFoo Barurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; + var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp', checkRecipient: false, checkExpiration: false}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(err, profile) { From 9b2aeeeb30370cd74f1d914d83e1f9f4f7ea33f9 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Thu, 20 Oct 2016 00:35:04 +0200 Subject: [PATCH 184/203] Added try/catch to prevent throwing when parsing saml response --- lib/passport-wsfed-saml2/strategy.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 0d13164..c98e48b 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -204,7 +204,13 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { return self.fail('SAMLResponse should be a valid xml', 400); } - var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); + try{ + // Try to parse to detect malformed xmls + var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); + } catch(e){ + // Send error + return self.fail(e); + } // If options are not set, we set the expected value from the request object var req_full_url = getReqUrl(req); From 5e21379a8757a37246845206c3fc5d2c07993c2c Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Thu, 20 Oct 2016 22:37:41 +0200 Subject: [PATCH 185/203] Moved var outside try/catch --- lib/passport-wsfed-saml2/strategy.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index c98e48b..3741816 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -204,9 +204,10 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { return self.fail('SAMLResponse should be a valid xml', 400); } + var samlResponseDom; try{ // Try to parse to detect malformed xmls - var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); + samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); } catch(e){ // Send error return self.fail(e); From 6466249e270a4beb75006bba88adfad2647e7a0e Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 21 Oct 2016 00:36:06 +0200 Subject: [PATCH 186/203] Added flag to enable/disable validation --- lib/passport-wsfed-saml2/samlp.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index c9510cc..07e4a65 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -39,11 +39,14 @@ var Samlp = module.exports = function Samlp (options, saml) { } this.options.checkDestination = (typeof this.options.checkDestination !== 'undefined') ? this.options.checkDestination : true; + this.options.checkResponseID = (typeof this.options.checkResponseID !== 'undefined') ? this.options.checkResponseID : true; + this.options.checkInResponseTo = (typeof this.options.checkInResponseTo !== 'undefined') ? this.options.checkInResponseTo : true; + this.eventEmitter = this.options.eventEmitter || new EventEmitter(); this._saml = saml; - this.isValidResponseID = this.options.isValidResponseID || ignoreValidationFunction; - this.isValidInResponseTo = this.options.isValidInResponseTo || ignoreValidationFunction; + this.isValidResponseID = (this.options.checkResponseID && this.options.isValidResponseID) || ignoreValidationFunction; + this.isValidInResponseTo = (this.options.checkInResponseTo && this.options.isValidInResponseTo) || ignoreValidationFunction; }; function getProp(obj, path) { From 79d0ac4f4b15a95c3c5b497f192dc18a8fadea9c Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Tue, 1 Nov 2016 20:44:52 +0100 Subject: [PATCH 187/203] Added logging to parse assertion --- lib/passport-wsfed-saml2/saml.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 3167d19..bbf5d47 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -347,6 +347,12 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { issuer = samlAssertion.getAttribute('Issuer'); } + + this.eventEmitter.emit('parseAssertion', { + issuer: issuer, + version: version, + }); + profile.issuer = issuer; // Validate the name qualifier in the NameID element if found with the audience From 822834562aee93c0144220518417531d63afb2d3 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 13 Jan 2017 16:07:51 +0100 Subject: [PATCH 188/203] Fixed signature issue in SMAL request and improved error messages' --- lib/passport-wsfed-saml2/saml.js | 1 + lib/passport-wsfed-saml2/samlp.js | 2 + package.json | 2 +- test/fixture/samlp-server.js | 18 ++++++ test/samlp.tests.js | 91 ++++++++++++++++++++++++++++++- 5 files changed, 112 insertions(+), 2 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index bbf5d47..fd89c74 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -325,6 +325,7 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { else return callback(new Error('SAML Assertion version not supported'), null); + if (self.options.checkExpiration && !self.validateExpiration(samlAssertion, version)) { return callback(new Error('assertion has expired.'), null); } diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 07e4a65..5b90467 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -19,6 +19,8 @@ var BINDINGS = { }; var ErrorMessages = { + 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch': 'The SAML responder could not process the request because the version of the request message was incorrect.', + 'urn:oasis:names:tc:SAML:2.0:status:Requester' : 'The request could not be performed due to an error on the part of the requester', 'urn:oasis:names:tc:SAML:2.0:status:Responder' : 'The request could not be performed due to an error on the part of the SAML responder or SAML authority', 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed' : 'The responding provider was unable to successfully authenticate the principal' }; diff --git a/package.json b/package.json index 3e9c77b..6a622b6 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,7 @@ "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", "uid2": "0.0.x", - "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/b2e7bc8d340d3d50e83ccff40ed5ff3bb9103b54", + "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/ee2adb4a661bbc90a4b8cfcf8f0a9f5596d865d9", "xml-encryption": "~0.8.0", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 5a67fe6..f7a2283 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -92,6 +92,23 @@ passport.use('samlp-signedrequest-with-deflate', new Strategy({ }) ); +passport.use('samlp-signedrequest-without-deflate-post', new Strategy({ + protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + path: '/callback', + realm: 'https://auth0-dev-ed.my.salesforce.com', + identityProviderUrl: identityProviderUrl, + thumbprints: ['5ca6e1202eafc0a63a5b93a43572eb2376fed309'], + signingKey: { + key: fs.readFileSync(path.join(__dirname, '../test-auth0.key')), + cert: fs.readFileSync(path.join(__dirname, '../test-auth0.pem')), + }, + deflate: false + }, function(profile, done) { + return done(null, profile); + }) +); + + passport.use('samlp-signedresponse', new Strategy( { path: '/callback', @@ -278,6 +295,7 @@ module.exports.start = function(options, callback){ app.get('/login-idp-with-querystring', passport.authenticate('samlp-idpurl-with-querystring', { protocol: 'samlp', RelayState: relayState })); app.get('/login-signed-request-without-deflate', passport.authenticate('samlp-signedrequest-without-deflate', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-signed-request-without-deflate-post', passport.authenticate('samlp-signedrequest-without-deflate-post', { protocol: 'samlp', RelayState: relayState })); app.get('/login-signed-request-with-deflate', passport.authenticate('samlp-signedrequest-with-deflate', { protocol: 'samlp', RelayState: relayState })); app.get('/login-custom-request-template', diff --git a/test/samlp.tests.js b/test/samlp.tests.js index f8c7044..5947d93 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -449,6 +449,51 @@ describe('samlp (functional tests)', function () { }); }); + describe('POST binding', function () { + var r, bod, $; + + before(function (done) { + request.get({ + jar: request.jar(), + uri: 'http://localhost:5051/login-signed-request-without-deflate-post' + }, function (err, resp, b){ + if(err) return callback(err); + r = resp; + bod = b; + $ = cheerio.load(bod); + done(); + }); + }); + + it('should return 200 with form element', function(){ + expect(r.statusCode) + .to.equal(200); + }); + + it('should have signed SAMLRequest with valid signature', function(done){ + var signedSAMLRequest = $('form input[name="SAMLRequest"]').val(); + var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); + var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); + + expect(utils.isValidSignature(signedRequest, signingCert)) + .to.equal(true); + + done(); + }); + + it('should show issuer before signature', function(done){ + var signedSAMLRequest = $('form input[name="SAMLRequest"]').val(); + var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); + var doc = new xmldom.DOMParser().parseFromString(signedRequest); + + // First child has to be the issuer + expect(doc.documentElement.childNodes[0].nodeName).to.equal('saml:Issuer'); + // Second child the signature + expect(doc.documentElement.childNodes[1].nodeName).to.equal('Signature'); + done(); + }); + }); + describe('with deflate', function () { var r, bod; @@ -571,6 +616,10 @@ describe('samlp (unit tests)', function () { var samlpResponseWithStatusResponderWithMessage = 'urn:fixture-testspecific error message'; var samlpResponseWithStatusResponderAndAuthnFailed = 'urn:fixture-test'; var samlpResponseWithStatusResponderAndAuthnFailedWithMessage = 'urn:fixture-testspecific error message'; + var samlpResponseWithStatusRequesterWithMessage = 'urn:fixture-testsignature required'; + var samlpResponseWithStatusRequesterWithoutMessage = 'urn:fixture-test'; + var samlpResponseWithStatusVersionMismatchWithMessage = 'urn:fixture-testversion mismatch error'; + var samlpResponseWithStatusVersionMismatchWithoutMessage = 'urn:fixture-test'; var samlpResponseWithStatusNotMappedStatus = 'urn:fixture-test'; it('shuold return error for AuthnFailed status with generic message', function(done){ @@ -613,6 +662,46 @@ describe('samlp (unit tests)', function () { }); }); + it('should return error for Requester status with specific message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusRequesterWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('signature required'); + done(); + }); + }); + + it('should return error for Requester status with specific message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusRequesterWithoutMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('The request could not be performed due to an error on the part of the requester'); + done(); + }); + }); + + it('should return error for Requester status with specific message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusVersionMismatchWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('version mismatch error'); + done(); + }); + }); + + it('should return error for Requester status with specific message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusVersionMismatchWithoutMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('The SAML responder could not process the request because the version of the request message was incorrect.'); + done(); + }); + }); + it('should return \'saml response does not contain an Assertion element\' error', function(done){ var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusNotMappedStatus, function (err) { @@ -888,4 +977,4 @@ function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { callback(null, { response: response, body: body }); }); }); -} +} \ No newline at end of file From 4ac88f2b387e9190a230f2d30d5d46d7248bf96a Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 13 Jan 2017 16:14:08 +0100 Subject: [PATCH 189/203] Fixed names of tests and endpoint --- test/fixture/samlp-server.js | 4 +- test/samlp.tests.js | 72 ++++++++++++++++++------------------ 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index f7a2283..fae3db4 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -92,7 +92,7 @@ passport.use('samlp-signedrequest-with-deflate', new Strategy({ }) ); -passport.use('samlp-signedrequest-without-deflate-post', new Strategy({ +passport.use('samlp-signedrequest-post', new Strategy({ protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', path: '/callback', realm: 'https://auth0-dev-ed.my.salesforce.com', @@ -295,7 +295,7 @@ module.exports.start = function(options, callback){ app.get('/login-idp-with-querystring', passport.authenticate('samlp-idpurl-with-querystring', { protocol: 'samlp', RelayState: relayState })); app.get('/login-signed-request-without-deflate', passport.authenticate('samlp-signedrequest-without-deflate', { protocol: 'samlp', RelayState: relayState })); - app.get('/login-signed-request-without-deflate-post', passport.authenticate('samlp-signedrequest-without-deflate-post', { protocol: 'samlp', RelayState: relayState })); + app.get('/login-signed-request-post', passport.authenticate('samlp-signedrequest-post', { protocol: 'samlp', RelayState: relayState })); app.get('/login-signed-request-with-deflate', passport.authenticate('samlp-signedrequest-with-deflate', { protocol: 'samlp', RelayState: relayState })); app.get('/login-custom-request-template', diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 5947d93..6b3bdd4 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -411,85 +411,85 @@ describe('samlp (functional tests)', function () { }); describe('samlp with signed request', function () { - describe('without deflate', function () { - var r, bod; + describe('POST binding', function () { + var r, bod, $; before(function (done) { request.get({ jar: request.jar(), - followRedirect: false, - uri: 'http://localhost:5051/login-signed-request-without-deflate' + uri: 'http://localhost:5051/login-signed-request-post' }, function (err, resp, b){ if(err) return callback(err); r = resp; bod = b; + $ = cheerio.load(bod); done(); }); }); - it('should redirect to idp', function(){ + it('should return 200 with form element', function(){ expect(r.statusCode) - .to.equal(302); + .to.equal(200); }); it('should have signed SAMLRequest with valid signature', function(done){ - expect(r.headers.location.split('?')[0]) - .to.equal(server.identityProviderUrl); - var querystring = qs.parse(r.headers.location.split('?')[1]); - expect(querystring).to.have.property('SAMLRequest'); - expect(querystring.RelayState).to.equal('somestate'); - - var signedSAMLRequest = querystring.SAMLRequest; + var signedSAMLRequest = $('form input[name="SAMLRequest"]').val(); var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); expect(utils.isValidSignature(signedRequest, signingCert)) .to.equal(true); + + done(); + }); + + it('should show issuer before signature', function(done){ + var signedSAMLRequest = $('form input[name="SAMLRequest"]').val(); + var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); + var doc = new xmldom.DOMParser().parseFromString(signedRequest); + + // First child has to be the issuer + expect(doc.documentElement.childNodes[0].nodeName).to.equal('saml:Issuer'); + // Second child the signature + expect(doc.documentElement.childNodes[1].nodeName).to.equal('Signature'); done(); }); }); - describe('POST binding', function () { - var r, bod, $; + describe('without deflate', function () { + var r, bod; before(function (done) { request.get({ jar: request.jar(), - uri: 'http://localhost:5051/login-signed-request-without-deflate-post' + followRedirect: false, + uri: 'http://localhost:5051/login-signed-request-without-deflate' }, function (err, resp, b){ if(err) return callback(err); r = resp; bod = b; - $ = cheerio.load(bod); done(); }); }); - it('should return 200 with form element', function(){ + it('should redirect to idp', function(){ expect(r.statusCode) - .to.equal(200); + .to.equal(302); }); it('should have signed SAMLRequest with valid signature', function(done){ - var signedSAMLRequest = $('form input[name="SAMLRequest"]').val(); + expect(r.headers.location.split('?')[0]) + .to.equal(server.identityProviderUrl); + var querystring = qs.parse(r.headers.location.split('?')[1]); + expect(querystring).to.have.property('SAMLRequest'); + expect(querystring.RelayState).to.equal('somestate'); + + var signedSAMLRequest = querystring.SAMLRequest; var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); expect(utils.isValidSignature(signedRequest, signingCert)) .to.equal(true); - - done(); - }); - - it('should show issuer before signature', function(done){ - var signedSAMLRequest = $('form input[name="SAMLRequest"]').val(); - var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); - var doc = new xmldom.DOMParser().parseFromString(signedRequest); - - // First child has to be the issuer - expect(doc.documentElement.childNodes[0].nodeName).to.equal('saml:Issuer'); - // Second child the signature - expect(doc.documentElement.childNodes[1].nodeName).to.equal('Signature'); done(); }); }); @@ -672,7 +672,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should return error for Requester status with specific message', function(done){ + it('should return error for Requester status with default message', function(done){ var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusRequesterWithoutMessage, function (err) { expect(err).to.be.ok; @@ -682,7 +682,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should return error for Requester status with specific message', function(done){ + it('should return error for VersionMismatch status with specific message', function(done){ var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusVersionMismatchWithMessage, function (err) { expect(err).to.be.ok; @@ -692,7 +692,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should return error for Requester status with specific message', function(done){ + it('should return error for VersionMismatch status with default message', function(done){ var samlp = new Samlp({ checkDestination: false }); samlp.validateSamlResponse(samlpResponseWithStatusVersionMismatchWithoutMessage, function (err) { expect(err).to.be.ok; From 97d4bd1c6786dfddc663b9e36ab164dc65a1911a Mon Sep 17 00:00:00 2001 From: dschenkelman Date: Fri, 20 Jan 2017 16:35:49 -0300 Subject: [PATCH 190/203] Fix for node 6.x. Be explicit about crypto update input encoding latin1 --- .travis.yml | 4 ++-- lib/passport-wsfed-saml2/saml.js | 2 +- lib/passport-wsfed-saml2/samlp.js | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index b3d4c98..656ae12 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ language: node_js before_install: npm i -g npm@1.4.28 node_js: - - 0.8 - - 0.10 \ No newline at end of file + - 4 + - 6 \ No newline at end of file diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index af229ed..e3cb3dd 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -59,7 +59,7 @@ SAML.prototype.validateSignature = function (xml, options, callback) { var base64cer = embeddedSignature[0].firstChild.toString(); var shasum = crypto.createHash('sha1'); var der = new Buffer(base64cer, 'base64').toString('binary'); - shasum.update(der); + shasum.update(der, 'latin1'); self.calculatedThumbprint = shasum.digest('hex'); // using embedded cert, so options.cert is not used anymore diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 98deff1..9a5f229 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -68,7 +68,7 @@ var removeHeaders = function (cert) { var sign = function (content, key, algorithm) { var signer = crypto.createSign(algorithm.toUpperCase()); - signer.update(content); + signer.update(content, 'latin1'); return signer.sign(key, 'base64'); }; From 11cedb4d943ce3d06ae519ad89c03a8bbe4d545f Mon Sep 17 00:00:00 2001 From: Eugenio Pace Date: Thu, 11 May 2017 15:01:28 -0700 Subject: [PATCH 191/203] Updated older dependencies that raised issues with Snyk --- package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 988e53a..2aca885 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.6", + "version": "2.11.7", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" @@ -20,12 +20,12 @@ "main": "./lib/passport-wsfed-saml2", "dependencies": { "cryptiles": "~0.2.2", - "ejs": "~0.8.3", + "ejs": "2.5.5", "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", "uid2": "0.0.x", "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", - "xml-encryption": "~0.8.0", + "xml-encryption": "0.11.0", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", "xpath": "0.0.5", From dbbf544e19cbbc318156f8529acd2ac44ae2ae78 Mon Sep 17 00:00:00 2001 From: Eugenio Pace Date: Thu, 11 May 2017 15:18:16 -0700 Subject: [PATCH 192/203] Bumped minor after dependencies update --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 2aca885..d1844c1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.11.7", + "version": "2.12.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From 5e8c8b6359ba09f996940fd0fb8eb993ba0ad118 Mon Sep 17 00:00:00 2001 From: Sandrino Di Mattia Date: Wed, 24 May 2017 21:11:12 +0200 Subject: [PATCH 193/203] Better error handing when xml (wresult/SAMLResponse) is invalid --- .../errors/SamlAssertionParserError.js | 13 + .../errors/SamlResponseParserError.js | 13 + .../errors/WSFederationResultParserError.js | 13 + lib/passport-wsfed-saml2/index.js | 7 +- lib/passport-wsfed-saml2/saml.js | 619 +++++++++--------- lib/passport-wsfed-saml2/samlp.js | 18 +- lib/passport-wsfed-saml2/strategy.js | 46 +- lib/passport-wsfed-saml2/utils.js | 41 ++ lib/passport-wsfed-saml2/wsfederation.js | 228 +++---- test/fixture/samlp-server.js | 13 +- test/fixture/wsfed-server.js | 15 +- test/samlp.tests.js | 28 + test/wsfed.tests.js | 41 +- 13 files changed, 625 insertions(+), 470 deletions(-) create mode 100644 lib/passport-wsfed-saml2/errors/SamlAssertionParserError.js create mode 100644 lib/passport-wsfed-saml2/errors/SamlResponseParserError.js create mode 100644 lib/passport-wsfed-saml2/errors/WSFederationResultParserError.js create mode 100644 lib/passport-wsfed-saml2/utils.js diff --git a/lib/passport-wsfed-saml2/errors/SamlAssertionParserError.js b/lib/passport-wsfed-saml2/errors/SamlAssertionParserError.js new file mode 100644 index 0000000..84db458 --- /dev/null +++ b/lib/passport-wsfed-saml2/errors/SamlAssertionParserError.js @@ -0,0 +1,13 @@ +function SamlAssertionParserError (message, detail, status) { + var err = Error.call(this, message); + err.name = 'SamlAssertionParserError'; + err.message = message || 'Error parsing SAML Assertion'; + err.detail = detail; + err.status = status || 400; + return err; +} + +SamlAssertionParserError.prototype = Object.create(Error.prototype); +SamlAssertionParserError.prototype.constructor = SamlAssertionParserError; + +module.exports = SamlAssertionParserError; diff --git a/lib/passport-wsfed-saml2/errors/SamlResponseParserError.js b/lib/passport-wsfed-saml2/errors/SamlResponseParserError.js new file mode 100644 index 0000000..f807db1 --- /dev/null +++ b/lib/passport-wsfed-saml2/errors/SamlResponseParserError.js @@ -0,0 +1,13 @@ +function SamlResponseParseError (message, detail, status) { + var err = Error.call(this, message); + err.name = 'SamlResponseParseError'; + err.message = message || 'Error parsing SAMLResponse'; + err.detail = detail; + err.status = status || 400; + return err; +} + +SamlResponseParseError.prototype = Object.create(Error.prototype); +SamlResponseParseError.prototype.constructor = SamlResponseParseError; + +module.exports = SamlResponseParseError; diff --git a/lib/passport-wsfed-saml2/errors/WSFederationResultParserError.js b/lib/passport-wsfed-saml2/errors/WSFederationResultParserError.js new file mode 100644 index 0000000..e7a3f30 --- /dev/null +++ b/lib/passport-wsfed-saml2/errors/WSFederationResultParserError.js @@ -0,0 +1,13 @@ +function WSFederationResultParseError (message, detail, status) { + var err = Error.call(this, message); + err.name = 'WSFederationResultParseError'; + err.message = message || 'Error parsing wresult'; + err.detail = detail; + err.status = status || 400; + return err; +} + +WSFederationResultParseError.prototype = Object.create(Error.prototype); +WSFederationResultParseError.prototype.constructor = WSFederationResultParseError; + +module.exports = WSFederationResultParseError; diff --git a/lib/passport-wsfed-saml2/index.js b/lib/passport-wsfed-saml2/index.js index 23b52fd..1347a5a 100644 --- a/lib/passport-wsfed-saml2/index.js +++ b/lib/passport-wsfed-saml2/index.js @@ -1,3 +1,8 @@ exports.Strategy = require('./strategy'); exports.SAML = require('./saml'); -exports.samlp = require('./samlp'); \ No newline at end of file +exports.samlp = require('./samlp'); + +exports.AuthenticationFailedError = require('./errors/AuthenticationFailedError'); +exports.SamlAssertionParserError = require('./errors/SamlAssertionParserError'); +exports.SamlResponseParserError = require('./errors/SamlResponseParserError'); +exports.WSFederationResultParserError = require('./errors/WSFederationResultParserError'); diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index af229ed..06e69d1 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -1,310 +1,309 @@ -// credits to: https://github.com/bergie/passport-saml - -var xmlCrypto = require('xml-crypto'); -var crypto = require('crypto'); -var xmldom = require('xmldom'); -var xpath = require('xpath'); -var cryptiles = require('cryptiles'); - -var ELEMENT_NODE = 1; - -var SAML = function (options) { - this.options = options; - - if (this.options.thumbprint) { - this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]); - } - - if (!this.options.cert && (!this.options.thumbprints || this.options.thumbprints.length === 0)) { - throw new Error('You should set either a base64 encoded certificate or the thumbprints of the signing certificates'); - } - - this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true; - this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; -}; - -SAML.prototype.certToPEM = function (cert) { - cert = cert.match(/.{1,64}/g).join('\n'); - cert = "-----BEGIN CERTIFICATE-----\n" + cert; - cert = cert + "\n-----END CERTIFICATE-----\n"; - return cert; -}; - -SAML.prototype.validateSignature = function (xml, options, callback) { - var self = this; - if (typeof xml === 'string') xml = new xmldom.DOMParser().parseFromString(xml); - - var signaturePath = this.options.signaturePath || options.signaturePath; - var signature = xpath.select(signaturePath, xml)[0]; - if (!signature) - return callback(new Error('Signature is missing (xpath: ' + signaturePath + ')')); - - var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); - sig.keyInfoProvider = { - getKeyInfo: function (key) { - return ""; - }, - getKey: function (keyInfo) { - - //If there's no embedded signing cert, use the configured cert through options - if(!keyInfo || keyInfo.length===0){ - if(!options.cert) throw new Error('options.cert must be specified for SAMLResponses with no embedded signing certificate'); - return self.certToPEM(options.cert); - } - - //If there's an embedded signature and thumprints are provided check that - if (options.thumbprints && options.thumbprints.length > 0) { - var embeddedSignature = keyInfo[0].getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate"); - if (embeddedSignature.length > 0) { - var base64cer = embeddedSignature[0].firstChild.toString(); - var shasum = crypto.createHash('sha1'); - var der = new Buffer(base64cer, 'base64').toString('binary'); - shasum.update(der); - self.calculatedThumbprint = shasum.digest('hex'); - - // using embedded cert, so options.cert is not used anymore - delete options.cert; - return self.certToPEM(base64cer); - } - } - - // If there's an embedded signature, but no thumprints are supplied, use options.cert - // either options.cert or options.thumbprints must be specified so at this point there - // must be an options.cert - return self.certToPEM(options.cert); - } - }; - - var valid; - - try { - sig.loadSignature(signature.toString()); - valid = sig.checkSignature(xml.toString()); - } catch (e) { - return callback(e); - } - - if (!valid) { - return callback(new Error('Signature check errors: ' + sig.validationErrors)); - } - - if (options.cert) { - return callback(); - } - - if (options.thumbprints) { - - var valid_thumbprint = options.thumbprints.some(function (thumbprint) { - return self.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase(); - }); - - if (!valid_thumbprint) { - return callback(new Error('Invalid thumbprint (configured: ' + options.thumbprints.join(', ').toUpperCase() + '. calculated: ' + this.calculatedThumbprint.toUpperCase() + ')' )); - } - - return callback(); - } -}; - -SAML.prototype.validateExpiration = function (samlAssertion, version) { - var conditions = xpath.select("//*[local-name(.)='Conditions']", samlAssertion); - if (!conditions || conditions.length === 0) return false; - - var notBefore = new Date(conditions[0].getAttribute('NotBefore')); - notBefore = notBefore.setMinutes(notBefore.getMinutes() - 10); // 10 minutes clock skew - - var notOnOrAfter = new Date(conditions[0].getAttribute('NotOnOrAfter')); - notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 10); // 10 minutes clock skew - var now = new Date(); - - if (now < notBefore || now > notOnOrAfter) - return false; - - return true; -}; - -SAML.prototype.validateAudience = function (samlAssertion, realm, version) { - var audience; - if (version === '2.0') { - audience = xpath.select("//*[local-name(.)='Conditions']/*[local-name(.)='AudienceRestriction']/*[local-name(.)='Audience']", samlAssertion); - } else { - audience = xpath.select("//*[local-name(.)='Conditions']/*[local-name(.)='AudienceRestrictionCondition']/*[local-name(.)='Audience']", samlAssertion); - } - - if (!audience || audience.length === 0) return false; - return cryptiles.fixedTimeComparison(audience[0].textContent, realm); -}; - -SAML.prototype.parseAttributes = function (samlAssertion, version) { - function getAttributes(samlAssertion) { - var attributes = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Attribute']", samlAssertion); - return attributes; - } - - function getSessionIndex(samlAssertion) { - var authnStatement = xpath.select("//*[local-name(.)='AuthnStatement']", samlAssertion); - var sessionIndex = authnStatement.length > 0 && authnStatement[0].attributes.length > 0 ? - authnStatement[0].getAttribute('SessionIndex') : undefined; - return sessionIndex || undefined; - } - - function getNameID20(samlAssertion) { - var nameId = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='NameID']", samlAssertion); - if (nameId.length === 0) return; - var element = nameId[0]; - var result = { - value: element.textContent, - }; - - ['NameQualifier', - 'SPNameQualifier', - 'Format', - 'SPProvidedID'].forEach(function(key) { - var value = element.getAttribute(key); - if (!value) return; - result[key] = element.getAttribute(key); - }); - - return result; - } - - function getNameID11(samlAssertion) { - var nameId = xpath.select("//*[local-name(.)='AuthenticationStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); - - if (nameId.length === 0) { - // only for backward compatibility with adfs - nameId = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); - if (nameId.length === 0) return; - } - - return nameId[0].textContent; - } - - function getAttributeValues(attribute) { - if (!attribute || attribute.childNodes.length === 0) return; - var attributeValues = []; - for (var i = 0; i 1) { - profile['nameIdAttributes'] = nameId; - } - } - - authContext = getAuthContext20(samlAssertion); - if (authContext) { - profile['http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod'] = authContext; - } - - } else { - if (attributes) { - for (var index2 in attributes) { - var attribute2 = attributes[index2]; - var value2 = getAttributeValues(attribute2); - profile[attribute2.getAttribute('AttributeNamespace') + '/' + attribute2.getAttribute('AttributeName')] = value2; - } - } - - nameId = getNameID11(samlAssertion); - if (nameId) { - profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = typeof nameId === 'string' ? nameId : nameId['#']; - } - } - - return profile; -}; - -SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { - var self = this; - - if (typeof samlAssertion === 'string') - samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion); - - self.validateSignature(samlAssertion, { - cert: self.options.cert, - thumbprints: self.options.thumbprints, - signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) { - if (err) return callback(err); - - self.parseAssertion(samlAssertion, callback); - }); -}; - -SAML.prototype.parseAssertion = function(samlAssertion, callback) { - var self = this; - if (self.options.extractSAMLAssertion){ - samlAssertion = self.options.extractSAMLAssertion(samlAssertion); - } - - if (typeof samlAssertion === 'string') - samlAssertion = new xmldom.DOMParser().parseFromString(samlAssertion).documentElement; - - if (!samlAssertion.getAttribute) - samlAssertion = samlAssertion.documentElement; - - var version; - if (samlAssertion.getAttribute('MajorVersion') === '1') - version = '1.1'; - else if (samlAssertion.getAttribute('Version') === '2.0') - version = '2.0'; - else - return callback(new Error('SAML Assertion version not supported'), null); - - if (self.options.checkExpiration && !self.validateExpiration(samlAssertion, version)) { - return callback(new Error('assertion has expired.'), null); - } - - if (self.options.checkAudience && !self.validateAudience(samlAssertion, self.options.realm, version)) { - console.log('Audience is invalid. Configured: ' + self.options.realm); - return callback(new Error('Audience is invalid. Configured: ' + self.options.realm), null); - } - - var profile = self.parseAttributes(samlAssertion, version); - - var issuer; - if (version === '2.0') { - var issuerNode = xpath.select("//*[local-name(.)='Issuer']", samlAssertion); - if (issuerNode.length > 0) issuer = issuerNode[0].textContent; - } else { - issuer = samlAssertion.getAttribute('Issuer'); - } - - profile.issuer = issuer; - - if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { - profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; - } - - callback(null, profile); -}; - -exports.SAML = SAML; +// credits to: https://github.com/bergie/passport-saml + +var crypto = require('crypto'); +var cryptiles = require('cryptiles'); +var xpath = require('xpath'); +var xmlCrypto = require('xml-crypto'); + +var utils = require('./utils'); + +var ELEMENT_NODE = 1; + +var SAML = function (options) { + this.options = options; + + if (this.options.thumbprint) { + this.options.thumbprints = (this.options.thumbprints || []).concat([this.options.thumbprint]); + } + + if (!this.options.cert && (!this.options.thumbprints || this.options.thumbprints.length === 0)) { + throw new Error('You should set either a base64 encoded certificate or the thumbprints of the signing certificates'); + } + + this.options.checkExpiration = (typeof this.options.checkExpiration !== 'undefined') ? this.options.checkExpiration : true; + this.options.checkAudience = (typeof this.options.checkAudience !== 'undefined') ? this.options.checkAudience : true; +}; + +SAML.prototype.certToPEM = function (cert) { + cert = cert.match(/.{1,64}/g).join('\n'); + cert = "-----BEGIN CERTIFICATE-----\n" + cert; + cert = cert + "\n-----END CERTIFICATE-----\n"; + return cert; +}; + +SAML.prototype.validateSignature = function (xml, options, callback) { + var self = this; + xml = utils.parseSamlResponse(xml); + + var signaturePath = this.options.signaturePath || options.signaturePath; + var signature = xpath.select(signaturePath, xml)[0]; + if (!signature) + return callback(new Error('Signature is missing (xpath: ' + signaturePath + ')')); + + var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); + sig.keyInfoProvider = { + getKeyInfo: function (key) { + return ""; + }, + getKey: function (keyInfo) { + + //If there's no embedded signing cert, use the configured cert through options + if(!keyInfo || keyInfo.length===0){ + if(!options.cert) throw new Error('options.cert must be specified for SAMLResponses with no embedded signing certificate'); + return self.certToPEM(options.cert); + } + + //If there's an embedded signature and thumprints are provided check that + if (options.thumbprints && options.thumbprints.length > 0) { + var embeddedSignature = keyInfo[0].getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate"); + if (embeddedSignature.length > 0) { + var base64cer = embeddedSignature[0].firstChild.toString(); + var shasum = crypto.createHash('sha1'); + var der = new Buffer(base64cer, 'base64').toString('binary'); + shasum.update(der); + self.calculatedThumbprint = shasum.digest('hex'); + + // using embedded cert, so options.cert is not used anymore + delete options.cert; + return self.certToPEM(base64cer); + } + } + + // If there's an embedded signature, but no thumprints are supplied, use options.cert + // either options.cert or options.thumbprints must be specified so at this point there + // must be an options.cert + return self.certToPEM(options.cert); + } + }; + + var valid; + + try { + sig.loadSignature(signature.toString()); + valid = sig.checkSignature(xml.toString()); + } catch (e) { + return callback(e); + } + + if (!valid) { + return callback(new Error('Signature check errors: ' + sig.validationErrors)); + } + + if (options.cert) { + return callback(); + } + + if (options.thumbprints) { + + var valid_thumbprint = options.thumbprints.some(function (thumbprint) { + return self.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase(); + }); + + if (!valid_thumbprint) { + return callback(new Error('Invalid thumbprint (configured: ' + options.thumbprints.join(', ').toUpperCase() + '. calculated: ' + this.calculatedThumbprint.toUpperCase() + ')' )); + } + + return callback(); + } +}; + +SAML.prototype.validateExpiration = function (samlAssertion, version) { + var conditions = xpath.select("//*[local-name(.)='Conditions']", samlAssertion); + if (!conditions || conditions.length === 0) return false; + + var notBefore = new Date(conditions[0].getAttribute('NotBefore')); + notBefore = notBefore.setMinutes(notBefore.getMinutes() - 10); // 10 minutes clock skew + + var notOnOrAfter = new Date(conditions[0].getAttribute('NotOnOrAfter')); + notOnOrAfter = notOnOrAfter.setMinutes(notOnOrAfter.getMinutes() + 10); // 10 minutes clock skew + var now = new Date(); + + if (now < notBefore || now > notOnOrAfter) + return false; + + return true; +}; + +SAML.prototype.validateAudience = function (samlAssertion, realm, version) { + var audience; + if (version === '2.0') { + audience = xpath.select("//*[local-name(.)='Conditions']/*[local-name(.)='AudienceRestriction']/*[local-name(.)='Audience']", samlAssertion); + } else { + audience = xpath.select("//*[local-name(.)='Conditions']/*[local-name(.)='AudienceRestrictionCondition']/*[local-name(.)='Audience']", samlAssertion); + } + + if (!audience || audience.length === 0) return false; + return cryptiles.fixedTimeComparison(audience[0].textContent, realm); +}; + +SAML.prototype.parseAttributes = function (samlAssertion, version) { + function getAttributes(samlAssertion) { + var attributes = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Attribute']", samlAssertion); + return attributes; + } + + function getSessionIndex(samlAssertion) { + var authnStatement = xpath.select("//*[local-name(.)='AuthnStatement']", samlAssertion); + var sessionIndex = authnStatement.length > 0 && authnStatement[0].attributes.length > 0 ? + authnStatement[0].getAttribute('SessionIndex') : undefined; + return sessionIndex || undefined; + } + + function getNameID20(samlAssertion) { + var nameId = xpath.select("//*[local-name(.)='Subject']/*[local-name(.)='NameID']", samlAssertion); + if (nameId.length === 0) return; + var element = nameId[0]; + var result = { + value: element.textContent, + }; + + ['NameQualifier', + 'SPNameQualifier', + 'Format', + 'SPProvidedID'].forEach(function(key) { + var value = element.getAttribute(key); + if (!value) return; + result[key] = element.getAttribute(key); + }); + + return result; + } + + function getNameID11(samlAssertion) { + var nameId = xpath.select("//*[local-name(.)='AuthenticationStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); + + if (nameId.length === 0) { + // only for backward compatibility with adfs + nameId = xpath.select("//*[local-name(.)='AttributeStatement']/*[local-name(.)='Subject']/*[local-name(.)='NameIdentifier']", samlAssertion); + if (nameId.length === 0) return; + } + + return nameId[0].textContent; + } + + function getAttributeValues(attribute) { + if (!attribute || attribute.childNodes.length === 0) return; + var attributeValues = []; + for (var i = 0; i 1) { + profile['nameIdAttributes'] = nameId; + } + } + + authContext = getAuthContext20(samlAssertion); + if (authContext) { + profile['http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod'] = authContext; + } + + } else { + if (attributes) { + for (var index2 in attributes) { + var attribute2 = attributes[index2]; + var value2 = getAttributeValues(attribute2); + profile[attribute2.getAttribute('AttributeNamespace') + '/' + attribute2.getAttribute('AttributeName')] = value2; + } + } + + nameId = getNameID11(samlAssertion); + if (nameId) { + profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'] = typeof nameId === 'string' ? nameId : nameId['#']; + } + } + + return profile; +}; + +SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { + var self = this; + + samlAssertion = utils.parseSamlAssertion(samlAssertion); + + self.validateSignature(samlAssertion, { + cert: self.options.cert, + thumbprints: self.options.thumbprints, + signaturePath: "//*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) { + if (err) return callback(err); + + self.parseAssertion(samlAssertion, callback); + }); +}; + +SAML.prototype.parseAssertion = function(samlAssertion, callback) { + var self = this; + if (self.options.extractSAMLAssertion){ + samlAssertion = self.options.extractSAMLAssertion(samlAssertion); + } + + samlAssertion = utils.parseSamlAssertion(samlAssertion); + + if (!samlAssertion.getAttribute) + samlAssertion = samlAssertion.documentElement; + + var version; + if (samlAssertion.getAttribute('MajorVersion') === '1') + version = '1.1'; + else if (samlAssertion.getAttribute('Version') === '2.0') + version = '2.0'; + else + return callback(new Error('SAML Assertion version not supported'), null); + + if (self.options.checkExpiration && !self.validateExpiration(samlAssertion, version)) { + return callback(new Error('assertion has expired.'), null); + } + + if (self.options.checkAudience && !self.validateAudience(samlAssertion, self.options.realm, version)) { + console.log('Audience is invalid. Configured: ' + self.options.realm); + return callback(new Error('Audience is invalid. Configured: ' + self.options.realm), null); + } + + var profile = self.parseAttributes(samlAssertion, version); + + var issuer; + if (version === '2.0') { + var issuerNode = xpath.select("//*[local-name(.)='Issuer']", samlAssertion); + if (issuerNode.length > 0) issuer = issuerNode[0].textContent; + } else { + issuer = samlAssertion.getAttribute('Issuer'); + } + + profile.issuer = issuer; + + if (!profile.email && profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']) { + profile.email = profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']; + } + + callback(null, profile); +}; + +exports.SAML = SAML; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 98deff1..5642c45 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -1,4 +1,3 @@ -var xmldom = require('xmldom'); var xpath = require('xpath'); var qs = require('querystring'); var zlib = require('zlib'); @@ -10,6 +9,7 @@ var querystring = require('querystring'); var SignedXml = require('xml-crypto').SignedXml; var templates = require('./templates'); +var utils = require('./utils'); var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); var BINDINGS = { @@ -202,17 +202,13 @@ Samlp.prototype = { }, extractAssertion: function(samlpResponse, callback) { - if (typeof samlpResponse === 'string') { - samlpResponse = new xmldom.DOMParser().parseFromString(samlpResponse); - } + samlpResponse = utils.parseSamlResponse(samlpResponse); var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; var done = function (err, assertion) { if (err) { return callback(err); } - if (typeof assertion === 'string') { - assertion = new xmldom.DOMParser().parseFromString(assertion); - } + assertion = utils.parseSamlAssertion(assertion); // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion if (assertion && assertion.prefix && !assertion.getAttributeNS(saml2Namespace, assertion.prefix)) { @@ -256,9 +252,7 @@ Samlp.prototype = { getSamlStatus: function (samlResponse) { var status = {}; - if (typeof samlResponse === 'string') { - samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); - } + samlResponse = utils.parseSamlResponse(samlResponse); // status code var statusCodeXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusCode']", samlResponse)[0]; @@ -289,9 +283,7 @@ Samlp.prototype = { validateSamlResponse: function (samlResponse, callback) { var self = this; - if (typeof samlResponse === 'string') { - samlResponse = new xmldom.DOMParser().parseFromString(samlResponse); - } + samlResponse = utils.parseSamlResponse(samlResponse); // check status var samlStatus = self.getSamlStatus(samlResponse); diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 10a71f9..8300806 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -1,12 +1,12 @@ var util = require('util'); var url = require('url'); -var xmldom = require('xmldom'); var jwt = require('jsonwebtoken'); var Strategy = require('passport-strategy'); var saml = require('./saml'); var wsfed = require('./wsfederation'); var samlp = require('./samlp'); +var utils = require('./utils'); var NullStateStore = require('./state/null'); var SessionStateStore = require('./state/session'); @@ -59,7 +59,7 @@ WsFedSaml2Strategy.prototype._authenticate_saml = function (req, state) { self._wsfed.retrieveToken(req, function(err, token) { if (err) return self.fail(err, err.status || 400); - + self._saml.validateSamlAssertion(token, function (err, profile) { if (err) { return self.error(err); @@ -186,7 +186,7 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { if (state) { authzParams.wctx = state; } redirectToIdp(); }; - + storeState(stored); } } @@ -204,25 +204,25 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { return self.fail('SAMLResponse should be a valid xml', 400); } - var samlResponseDom = new xmldom.DOMParser().parseFromString(samlResponse); - self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { - if (err) return self.fail(err, err.status || 400); - - var verified = function (err, user, info) { - if (err) return self.error(err); - if (!user) return self.fail(info); - - info = info || {}; - if (state) { info.state = state; } - self.success(user, info); - }; - - if (self._passReqToCallback) { - self._verify(req, profile, verified); - } else { - self._verify(profile, verified); - } - }); + var samlResponseDom = utils.parseSamlResponse(samlResponse); + self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { + if (err) return self.fail(err, err.status || 400); + + var verified = function (err, user, info) { + if (err) return self.error(err); + if (!user) return self.fail(info); + + info = info || {}; + if (state) { info.state = state; } + self.success(user, info); + }; + + if (self._passReqToCallback) { + self._verify(req, profile, verified); + } else { + self._verify(profile, verified); + } + }); }; verifyState(req.body.RelayState, loaded); @@ -256,7 +256,7 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { if (state) { authzParams.RelayState = state; } sendRequestToIdp(); }; - + storeState(stored); } } diff --git a/lib/passport-wsfed-saml2/utils.js b/lib/passport-wsfed-saml2/utils.js new file mode 100644 index 0000000..f9e99d8 --- /dev/null +++ b/lib/passport-wsfed-saml2/utils.js @@ -0,0 +1,41 @@ +var xmldom = require('xmldom'); + +var SamlAssertionParserError = require('./errors/SamlAssertionParserError'); +var SamlResponseParserError = require('./errors/SamlResponseParserError'); +var WSFederationResultParserError = require('./errors/WSFederationResultParserError'); + +exports.parseSamlAssertion = function(xml) { + if (typeof xml === 'string') { + try { + return new xmldom.DOMParser().parseFromString(xml); + } catch (e) { + throw new SamlAssertionParserError('SAML Assertion should be a valid xml', e); + } + } + + return xml; +} + +exports.parseSamlResponse = function(xml) { + if (typeof xml === 'string') { + try { + return new xmldom.DOMParser().parseFromString(xml); + } catch (e) { + throw new SamlResponseParserError('SAMLResponse should be a valid xml', e); + } + } + + return xml; +} + +exports.parseWsFedResponse = function(xml) { + if (typeof xml === 'string') { + try { + return new xmldom.DOMParser().parseFromString(xml); + } catch (e) { + throw new WSFederationResultParserError('wresult should be a valid xml', e); + } + } + + return xml; +} diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js index cbe3455..f7b3b70 100644 --- a/lib/passport-wsfed-saml2/wsfederation.js +++ b/lib/passport-wsfed-saml2/wsfederation.js @@ -1,114 +1,114 @@ -var xmldom = require('xmldom'); -var xtend = require('xtend'); -var qs = require('querystring'); -var xpath = require('xpath'); - -var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); - -var WsFederation = module.exports = function WsFederation (realm, homerealm, identityProviderUrl, wreply) { - this.realm = realm; - this.homerealm = homerealm; - this.identityProviderUrl = identityProviderUrl; - this.wreply = wreply; -}; - -WsFederation.prototype = { - getRequestSecurityTokenUrl: function (options) { - var query = xtend(options || {}, { - wtrealm: this.realm, - wa: 'wsignin1.0' - }); - - if (this.homerealm !== '') { - query.whr = this.homerealm; - } - - if (this.wreply) { - query.wreply = this.wreply; - } - - return this.identityProviderUrl + '?' + qs.encode(query); - }, - - extractToken: function(req) { - var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']); - - // //Probe WS-Trust 1.2 namespace (http://schemas.xmlsoap.org/ws/2005/02/trust) - var token = doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0]; - - // //Probe WS-Trust 1.3 namespace (http://docs.oasis-open.org/ws-sx/ws-trust/200512) - if(!token){ - token = doc.getElementsByTagNameNS('http://docs.oasis-open.org/ws-sx/ws-trust/200512', 'RequestedSecurityToken')[0]; - } - - return token && token.firstChild; - }, - - retrieveToken: function(req, callback) { - if (req.body.wresult.indexOf('<') === -1) { - return callback(new Error('wresult should be a valid xml')); - } - - var fault = this.extractFault(req); - if (fault) { - return callback(new AuthenticationFailedError(fault.message, fault.detail)); - } - - var token = this.extractToken(req); - if (!token) { - return callback(new Error('missing RequestedSecurityToken element')); - } - - callback(null, token); - }, - - extractFault: function(req) { - var fault = {}; - var doc = new xmldom.DOMParser().parseFromString(req.body['wresult']); - - var isFault = xpath.select("//*[local-name(.)='Fault']", doc)[0]; - if (!isFault) { - return null; - } - - var codeXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Code']/*[local-name(.)='Value']", doc)[0]; - if (codeXml) { - fault.code = codeXml.textContent; - } - - var subCodeXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Code']/*[local-name(.)='Subcode']/*[local-name(.)='Value']", doc)[0]; - if (subCodeXml) { - fault.subCode = subCodeXml.textContent; - } - - var messageXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Reason']/*[local-name(.)='Text']", doc)[0]; - if (messageXml) { - fault.message = messageXml.textContent; - } - - var detailXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Detail']", doc)[0]; - if (detailXml) { - fault.detail = detailXml.textContent; - } - - return fault; - } -}; - -Object.defineProperty(WsFederation, 'realm', { - get: function () { - return this.realm; - } -}); - -Object.defineProperty(WsFederation, 'homeRealm', { - get: function () { - return this.homeRealm; - } -}); - -Object.defineProperty(WsFederation, 'identityProviderUrl', { - get: function () { - return this.identityProviderUrl; - } -}); \ No newline at end of file +var xtend = require('xtend'); +var qs = require('querystring'); +var xpath = require('xpath'); + +var utils = require('./utils'); +var AuthenticationFailedError = require('./errors/AuthenticationFailedError'); + +var WsFederation = module.exports = function WsFederation (realm, homerealm, identityProviderUrl, wreply) { + this.realm = realm; + this.homerealm = homerealm; + this.identityProviderUrl = identityProviderUrl; + this.wreply = wreply; +}; + +WsFederation.prototype = { + getRequestSecurityTokenUrl: function (options) { + var query = xtend(options || {}, { + wtrealm: this.realm, + wa: 'wsignin1.0' + }); + + if (this.homerealm !== '') { + query.whr = this.homerealm; + } + + if (this.wreply) { + query.wreply = this.wreply; + } + + return this.identityProviderUrl + '?' + qs.encode(query); + }, + + extractToken: function(req) { + var doc = utils.parseWsFedResponse(req.body['wresult']); + + // //Probe WS-Trust 1.2 namespace (http://schemas.xmlsoap.org/ws/2005/02/trust) + var token = doc.getElementsByTagNameNS('http://schemas.xmlsoap.org/ws/2005/02/trust', 'RequestedSecurityToken')[0]; + + // //Probe WS-Trust 1.3 namespace (http://docs.oasis-open.org/ws-sx/ws-trust/200512) + if(!token){ + token = doc.getElementsByTagNameNS('http://docs.oasis-open.org/ws-sx/ws-trust/200512', 'RequestedSecurityToken')[0]; + } + + return token && token.firstChild; + }, + + retrieveToken: function(req, callback) { + if (req.body.wresult.indexOf('<') === -1) { + return callback(new Error('wresult should be a valid xml')); + } + + var fault = this.extractFault(req); + if (fault) { + return callback(new AuthenticationFailedError(fault.message, fault.detail)); + } + + var token = this.extractToken(req); + if (!token) { + return callback(new Error('missing RequestedSecurityToken element')); + } + + callback(null, token); + }, + + extractFault: function(req) { + var fault = {}; + var doc = utils.parseWsFedResponse(req.body['wresult']); + + var isFault = xpath.select("//*[local-name(.)='Fault']", doc)[0]; + if (!isFault) { + return null; + } + + var codeXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Code']/*[local-name(.)='Value']", doc)[0]; + if (codeXml) { + fault.code = codeXml.textContent; + } + + var subCodeXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Code']/*[local-name(.)='Subcode']/*[local-name(.)='Value']", doc)[0]; + if (subCodeXml) { + fault.subCode = subCodeXml.textContent; + } + + var messageXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Reason']/*[local-name(.)='Text']", doc)[0]; + if (messageXml) { + fault.message = messageXml.textContent; + } + + var detailXml = xpath.select("//*[local-name(.)='Fault']/*[local-name(.)='Detail']", doc)[0]; + if (detailXml) { + fault.detail = detailXml.textContent; + } + + return fault; + } +}; + +Object.defineProperty(WsFederation, 'realm', { + get: function () { + return this.realm; + } +}); + +Object.defineProperty(WsFederation, 'homeRealm', { + get: function () { + return this.homeRealm; + } +}); + +Object.defineProperty(WsFederation, 'identityProviderUrl', { + get: function () { + return this.identityProviderUrl; + } +}); diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 9229857..74cb73a 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -263,7 +263,7 @@ module.exports.start = function(options, callback){ app.get('/login-signed-request-without-deflate', passport.authenticate('samlp-signedrequest-without-deflate', { protocol: 'samlp', RelayState: relayState })); app.get('/login-signed-request-with-deflate', passport.authenticate('samlp-signedrequest-with-deflate', { protocol: 'samlp', RelayState: relayState })); - + app.get('/login-custom-request-template', passport.authenticate('samlp-custom-request-template', { protocol: 'samlp', RelayState: relayState })); @@ -327,6 +327,17 @@ module.exports.start = function(options, callback){ } ); + app.post('/callback/samlp-with-invalid-xml', + function (req, res, next) { + passport.authenticate('samlp-with-utf8', { protocol: 'samlp' }, function(err, user, info) { + res.send(400, { message: err.message }); + })(req, res, next); + }, + function(req, res) { + res.json(req.user); + } + ); + app.post('/callback/samlp-with-dsig-at-root', passport.authenticate('samlp-with-dsig-at-root', { protocol: 'samlp' }), function(req, res) { diff --git a/test/fixture/wsfed-server.js b/test/fixture/wsfed-server.js index 70aaae7..0971466 100644 --- a/test/fixture/wsfed-server.js +++ b/test/fixture/wsfed-server.js @@ -73,7 +73,7 @@ module.exports.start = function(options, callback){ callback(null, 'http://localhost:5050/callback'); } - app.get('/login', + app.get('/login', wsfed.auth(xtend({}, { issuer: 'fixture-test', getPostURL: getPostURL, @@ -81,7 +81,18 @@ module.exports.start = function(options, callback){ key: credentials.key }, options))); - app.post('/callback', + app.post('/callback/wresult-with-invalid-xml', + function (req, res, next) { + passport.authenticate('wsfed-saml2', function(err, user, info) { + res.send(400, { message: err.message }); + })(req, res, next); + }, + function(req, res) { + res.json(req.user); + } + ); + + app.post('/callback', passport.authenticate('wsfed-saml2'), function(req, res) { res.json(req.user); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index b4ce3fb..f253bcf 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -144,6 +144,34 @@ describe('samlp (functional tests)', function () { }); }); + describe('SAMLResponse with invalid XML', function() { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5051/callback/samlp-with-invalid-xml', + form: { SAMLResponse: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9mbWktdGVzdC5hdXRoMC5jb20vbG9naW4vY2FsbGJhY2siIElEPSJfNzY4NjU5OGUzNDk4YjcxOGM3MjcyNmZlMjVhZDU3Y2MiIEluUmVzcG9uc2VUbz0iXzM3ZjAyNjJkYWZlNmJhZWFmYThiIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDQtMTFUMTE6MzU6MjQuMDYwWiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cHM6Ly9hYWktbG9nb24uZXRoei5jaC9pZHAvc2hpYmJvbGV0aDwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PHNhbWwycDpTdGF0dXM+PHNhbWwyOkVuY3J5cHRlZEFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgLz48eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgSWQ9Il9jOGY1Y2QyZTAwY2UyMzkwYTJkMjdlMzRjZjQwZWI2YSIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI2FlczEyOC1jYmMiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIvPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48eGVuYzpFbmNyeXB0ZWRLZXkgSWQ9Il8wZjczNDk4NTFkMjY0NDk2NWE0N2M2ZjU2OTc1MDk1MSIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjcnNhLW9hZXAtbWdmMXAiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyIvPjwveGVuYzpFbmNyeXB0aW9uTWV0aG9kPjxkczpLZXlJbmZvPjxkczpLZXlJbmZvIC8+PGRzOktleUluZm8gLz48ZHM6S2V5SW5mbyAvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURPekNDQWlPZ0F3SUJBZ0lKQVBQb0hyRXBiN291TUEwR0NTcUdTSWIzRFFFQkJRVUFNQjB4R3pBWkJnTlZCQU1URW1adGFTMTANClpYTjBMbUYxZEdnd0xtTnZiVEFlRncweE16QTFNRFl5TXpBek1UZGFGdzB5TnpBeE1UTXlNekF6TVRkYU1CMHhHekFaQmdOVkJBTVQNCkVtWnRhUzEwWlhOMExtRjFkR2d3TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtiOUdpZmYNCitLdlFQd285ZW9PYlNXN05OWVpGclVveFJuNzRxTWNkZlp3a3V3RzNPOEVHaThYK1VzTnROZ3dRbE1WZll0OWxLQjcxaUpTbEtPQmkNCkJQU0ZQN3pQOWpGdFRuZkpjYVJ2ZHZZUG9JQzRZODF0dTZMa05OM2UxLzMxTnArUjZwZDdGNkxmSFdxdWYrQitoeUhKQ1hhc2RkNkoNCmxHb2ViOTQrZW1wajlsbTh3SE5iM3NyLzg4Mzk0S0ozRlVCZXhQelE1cnBLTGU3ZDVmbTRFS08vaXlFcFdIVWxmN2RmOXlHRDZtNzENClB4bys4cjhEcXE3QTVFaEdYL3prNlN1d1o0ai9zeml6eW4vY1h1bGxHZzNQQXNjOVhYTFQ0NTVBMUtFQng1ZVRHck1jN0pRM3VEVXENCnFmRGY0dmp3bE5CY0lqeGcyWDNkTTBzSlZrLzVyMDBDQXdFQUFhTitNSHd3SFFZRFZSME9CQllFRkJzNWxwZnZleU9Tb3BtTlZlZWgNClhQK1BHdGszTUUwR0ExVWRJd1JHTUVTQUZCczVscGZ2ZXlPU29wbU5WZWVoWFArUEd0azNvU0drSHpBZE1Sc3dHUVlEVlFRREV4Sm0NCmJXa3RkR1Z6ZEM1aGRYUm9NQzVqYjIyQ0NRRHo2QjZ4S1crNkxqQU1CZ05WSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUENCkE0SUJBUUEyWmszU21TR1RPaC82cmF6ZW0vRmk4R3pFb3BjS2RJRTF1ZUNoVHNBemg2L21pbTVxNWxIMFBXMWI4NXNRMy9jMzFTWVUNClN4VlpCODRLMk1QNitod0MwV1p4a3E4eTBpTUVFQXhXeUMzWjNpOXBTbEdkdzdzdi9OV0p2NFlQam8yc1NOSHVaODBPMTFhM2NYb3UNCll4TE84REJSTXE5VlRzN1JiN3FLRkJXbDVJeCtjWnhWZ2xyeEl2NlcwOE9ycm1xUGVvRGp1aUppQmoyOGNzamhlaFlFbEtZY25VNEwNClJkSWpCbFpGbjFBb1RKUkJGQXlqTDhCdlNNSU1Sa3pFcm8vR3AzSXpqNjAzUkJUR09rdm5pYWxLSGN3TG5WRkZFMHhlWlpVcTdLdzANCkx2TzBYOHVTM0RYN2RUYzJvcXpYT1R4NDIvT2o1cTl4VXVhaXVYME1SWlQwPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkNpcGhlclZhbHVlPlBtN2dVRDI5d1AwMTdLUnZKTmdmVzUxRkQ0eHlUTGJ5RDdXbElNRVZUR2xzWnc5K3ZNbUdzL2VkdXJoT2ZVZEV2SGZBV04vdUYzYkxCOTl1Q1pFN0dHLzJ0aDVBS2pLejFaN1NvZWZuUU54dnFvbXUyNUNmWTEwUzFpbitNMU13N3ZrcTZlS0c4bndEQjBDc3JsOXJ6ZUMyekNQRFc1TG81N0x2NDNNbUVpM1dYZkVhbkQwZDJZT2NRVFppaHIzUlpnajl0SDJUQmVKZjhNN28yY1BrOXFBWk40aU56dk1oWE5OV0RDR256SGxIdXNxVk9RNWM4d2l5MmwzdWlUZlk3aEIvTVhpUDVmemRPYitEbWw4NlJrT2MyUVd3RHUwQ0t1ZHBveVRxQW90OUhFZ1JoL25tVXVSQkVKQ3NtWEdyN3FOM3ZSWW5HTXRmdEswZG9VYzN6QT09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT4xY1JHdFhpWFZMYXRhSHFTMWVLM3JtTjlQcnJyZ0laR25XM0xPT25aektuU2w2dWFKWnRENXFyQkRURE5zaXg2ek15cHJPOU5KQVlQYlJEQ21CbWNaVStMSm5aSVdtT3IrQ29SdWJBUGdIT2Q3Q0VoQVB6RGVJZFh0S0V3R29hNHNKbXJRMjlCR3VSejBYS3ljTlJhU2lJa0toRm40dTZCRzV0a2dzS0RRT3Q3dmd0RzhuV21pczZqM0lYSVdrWGpXT2tKWjBHbktXajJqd3EwL3ArdEo1OXM1R3lTQi9uVy9nQW1PcjlLelhJMllQWm5CTk1xSUl6ZTZPNDBaaDRtaXpmUmdTSzM4dE5XQ3NCRlB6Q1krZjJWZVlsMzVORythdUhEZU9BRGtkQkR4d2xqRTJCV0Q2MXBKaFhuRzBTRVBIcnV1b1k3YldjWGpoNDVYLzhiM1hNcHF4ZDFjRFJPZkZMdFRMb0syVjVqcnhiRGRvcVh2TFR2NnZ5NDZGVkZYRVNEV0xmSGFxTjBOTlNsY2hORXJmcFV3SDRNUXNVOGU1UW1yeEw1QUVDVldmQytEYnNOZTVjZFhZcS8wVTBkcWJPV1ZlQkdVL3h0KzJEWmVhSFBTZVpweGhCb3diZ0FKejRlTlpQdnhIWVRGZHducXZhemRneWo4VUdHbEQvZjFoSXFHWHFja3BNbTJ2OEplZUd1akV6SDNnMXNOcEluWG40eVBaTUFLSEtOaVhIZTF3aWk1V2V5Ty9tMHlCUGZreGRrMll1S3NPMy9KWDlOcXltNXV6WUIzbmZZN1JkR21pdXBDV2tpb05aL1hidG5Bb1dDSENyc210am1kdm5rM2NBTVAvdmNSWmluQm9pSjgxdnBLdTNtSm5FdGV6cEVqaUMxY1dnTUxoLzZRK29MbXZOL1dyNVZWZmxjSFJYMWNhTEQrWURncnkybTVCbHBTRjhVKy9KYXR6NjR3Y0V2aXlqVFgwelN6VlRtakptZG44a3FvSEN0V3RvVCtWQUt0MG9CcGRMdHg5eDUzUTVTVG1rUG5xOXdnc3FWRXBGZGFHK25qM1RiZkY5K1FBMHFCVk1BVmxpZmNyb01YTzZRZlpFZUwwNWpFZWFSUGZpK0t5K2tVNUUvMFduTWFVUU1ZZE1kUFh5NW1XenZuZHMzVE5DczRjMWhYc1c2SXFoeTRnQjFPdEFVdjhIeEtPWVhrT0ZMMVN4TEs4Ty80UUUwVEFGd0hvZ0hEY3NVTEIvNDJHZ3IxZjZJVWcyTGNjOTMvN3JOUkhOV21OK21ienBJdUUvT0lRTEM5RW5yM1ErSkdURFJKajJsR0Fidzk4MnlsUzYyS2ZETDlKMWEzdzdtb0ZKM3ZubTdTUmZ4K25CREw2YzFBSDJTS0s1SmsrT3VDOWVSWllwMDdXMy9TQnJOWFVUUzhpbnpRaERLSWwvOVJ0b1Bzbyt3K3RnaCtIY2svNERaQnV0cmtpY3BGejBWZm5pK0VGZXBEZVJLT1ZwY1JNclVFeHdvWFZ3SitBUldMRnBIdDFJQjh4TmJTeFU4WUpzeDlMdWxGeXhUQzVOYWFqU0N4WFhkRENFajE5U2o2MFRYZGcwOHNRY0NYdGxUS1dLVDdQQXl1cGo5dFZtdVg2NkEweGQwdWt3MmhjbSs1bnB4REtEbUhKdWFMSUlzSDB4WDFyQVE0a3VqVHg1aGNGZnEyMDZIK2JBUE1xTEYyTjFDSnlkYUJMd2xoejRwa0tPczhMRXVzTGtySGVUK3hFeHBETnk4MzBZQ3M1SUpnTkY2R3dFcFdiaklGbVNIMlpzSnBycnB4b3h6eGtuZ29DSzYvSlRkYUVoM0diWkVmaFNlSW5kTGFnUktFcjZ5azNFMS9sNzlxTmxCbzlpUndTRE5UVXdkMmVHOENhZVpyYjJQZEIweDk2L3Z4L2lkUXNwQjNCQjkrbzBRaFhndVp5c0pDMmtIdmZUSndZZjRWVDBoL01TQnk1dGVWYU1kUWZxUmpCVm9pbGZncnFaVjlPTHZOOUw3TzUxVGFqVE1EcmdleGxIV3VNNVhMczZUK3pNdXM3WisrNys2aGNEUGg4UXpxY2ljVyt6TGpOTHN3OXhZS09CNlJ4T1NHTy9CekkxcExhbmRHSnJ5bXVsWlBicUJyZEQ1MXFWNUxwWjVBcUU2MHg5RGc0NDNJRkpPeWIxUzN3VCsyb3BBVEFDVDZQV3o0blJsNHZJc2J1M1RlVGdGTXZiUHdKdmV0U1d2ZjNwckdRNDlqVHpMaXhlSUlRTmUyOXdYamZROE1TKzJSUGppMnlpQVFCcllITWo2UzBiWFloYUVCRmFGN1kxNTRxMVJORk5rTmpmN2tVQjBTbVlnaVU4em83QjdLNzRwTm1SbWxIcitMcGtFcHVyVEU5Lzgvd1hhRWFzSitIb0UyNVlTYnFZRitxKzQ1L1NFcEJQdWpCa2ZQdkQwR0pqVCtnbGxiNzFWQU9nMTk2dGN2RFU4TUduSUN6SGM0ajJRaWVhZkF2YzZMNElvMEJRQXhnNDZXTTlIWVJyOGhZeURQNzFCMC95Sm5CV1R5QzUvWFNsRmsrQWFQeXpxdFZpMk5GeFh3bnRldzA1R1NjU2F2NDdKSEFRVFZaRlJsd2k4RkNtaUpKZWVQVWRrb2FlZExOT21oUXFMN0hmZ000RDRmOE9MaHhxdng3Ym5QQkRPMmlBcndYbHFrdy9Lc3l4dlQvZVd3NUZMOW41KzVDTWxiYnJCTEpNM2o2WkVxM3RJOWZuYk1vNmFHUERRb2RURUMwaEY2ZHdJYm02VG5tdFlLcDFZSTR5UWlzMUFURmIxbTY4R0htS0tidXNiMGE4N3BKbzRYbDlQdVdLSFRhMXBWdDBVTWw0RWJjNm14aXdyRytIZzNFdDRXUk5qaTJHQXhWMmYyekFaN1ZsNXpGRk02dmdxbFlqQ3NWZWNLekM1emp6T2Y4aDd0UThKdTUxMWJpRjlhN090cFhCWHZqVWdvcVRFV25SM1pyRjI4MkNNV3VvUXJHbjlwNFR2eldORU1iWjd2cGJiQ2tYS0t3cFhhWXNzL3pwcHg2d3JXWTRNOUdoVE45RVhXTTRXUGVpbmZ1MStUQUdDK3dISFVTd2h2TE9Ob0RsaHhqcU94MVVweVZubmxTeTV2QlBIbWRrYXgzT3o4MWhIY3hHVEtvb3N1U0hRYU9hL2xRelY4Sm9sM2RyZURobjlBWkM1bjRsa3hYV0tUOEhuQUNMS3VUTE4rMXpQUVY0UWorSDcxNUloNkZzNkE3bGY0dVloY2pWcWNVdWZrTHFvcjd0NjdOck5FekIyNSs2UVNRSlhMbTNUU2M2UTlCUDNjNUhWOGZzVHJEL043RUdJUkJGL3BTNldSMzY2UjV6WkJiWjZXbFNOek1TcnlwZnlQVDk5ODhJeGtLRFZqYjE1MkZ3Njg4OTZvUS8rckdxY3BxYlB5bmsvYkpVbThWWU1vbzA3U0J4Y2hURncybmtRc1VLT0J2MkdJT01WQ0d0YUVmWDh5YVBlcGZ4UGFxSm5tVjJTQ2U3Q09vVWQ1b3g2SzgrL21uWUZaTXJ6N3RYQ1VIU1MybDdyU3BYTStXZ013VnIwalh5OXdYSkxKK3NLM0dXSDZYVDAzNHZrMk1KZHdmcU9zQnBwTkFjeStNekd5NDlFVlFULytQb2FlT245MzM3aHBibjFnVmNMd2ovWGMzRll4REtkakY1OGNUL2d0dG52aWRhaktUcGNnQ1l4R1F2KzNRUkhidWFEWnRyRXY0L3phNnpiRGZHcEtzbklqeVVhc21HeHpiQ1Q3ZjFMQU1aYlJwaklnYi9ScVRnVnhEQXRhUGNSVU9YTEE3N29ZZm83Y2h2STd5RlJGbk9lMDNURDhHRFFLaGI5VUlzN1JmRXNYS0xVOVZwZVp3NnZ4Q1lNZDhScTlDbG5kOG1jR0FsNDgrOTRVeUFWZUdUelYzMWVCam44QjQ1R0wzWDkxL2JULzExaHZNS05YMjFQbUZ5eVR5YzZNMXhVY3IzN282YWY0SEFzVW5YZ1o4U1VLUXdKUE1WQzkrRW52RHByUjYvWS81S1l5MFVnb1IrR01IRTNaMXl0UUdZWEZZRlVaVW1NVjJVZ3oySW5pVTRhWExYNFlxQjhMRVgvRjVENnUzcVFCekhkSXhPelNTdlRiRXN6dVhuOFd4NStMNW1MVGM1U1JuNmxQZTRIUVZ1U0lLYzg3Ym5UTDFzNHFadjF0KzlaTUxLSVRHc1J4bjM1YXFZdVBMdDVOM053MlBZUkg4ZHFyZkwvWlA5WW5CWXo2aEFlWXZQVG5pYWF2ZVYzU0dNeW1VRVM5YlVtbHRjOUo0NnR3MkNwYkkxT0NDRDJ3dW1ucTlvbkZEam1oQUticENkaVNlSXFyNll4Y09QbzFXTnNVMmR1Z1Z3L1dYbTl5RUJ4S0o1UHJjNHJhdjhPT2Ezc0g0Z0cyYm9KeEMrMTluenZDbnVmTTRiRVQ3WVY5SVdmaDJLOGJacytRYTZPYjBTOXZnUWw1YWhGekpCUGhNUW91NjhKLzNkQm5ScUlPUENUMUhxcDN2aktlR3B4bGQxRDl3azZNYUREakl4aTJvWDQ3azZYREt6UkprUENabnJFTDZSblRodFJ0dzhiRUJCblZvdTdHWlZMZWtmRmw1MGlHTldBTmJpYTFGaDhad0c3SmxGbnhQZkhOdHYwM1QrT0dmOGhnMDV4YVlWQjRtZURKeC8rWmJBQzBKYUpYeUpNMnJmeTVuY3UxTk9BNWdEV1E3Vkp0MlFyQXh2cmQ5TVV4eHRnbHRtek1Nc1FZbDd3QVByMk5QRW1Nck1EeXJCcVRNY0JWbVg2N05sNGhBck44WUQySE9WZW5pZkkzcGFZSXMySTg3eWJ4SVNsMlEvbDFySXdScHFZSFVzRGNqVjBmUzd5c2VVZUdnK2hEMDdZR1RWaVkvT0JHeEswMzJneUtUcFdVMHFibW8rWTYvWkdVdnBqbldCRWJ5QkhkZ0xia0JUL29CNVE0azdLMi9TQXd6N29DZStJWG9OYkxYYkFNSGZIS296WFNxUysxQkN1TUUxSnNsWGpSWFk1WWJnRms2MU8zUndLRFVMaExUNUdmSlVFUVNoU2h2S05naHYzOUlBY1o2YWlFWlp3WVBUK1BudnNpc1hKanFiM2lhaU1yMCs5aEIvR3hrOHN5amRuVU1mL3FJOEpRU0k5UVhIZ0t6UU5pY0dSZFdjNUpXUkZreUIxMzh5dUF6NHQ4eHI1SzFhNStBUHJ6M1JJem1KWExpSlBySkhhcnlTL1ZNclBKaHR4WFpoYVlsYlJPRFptaUJjci9LVGlaVk02OWNlK3ZTa2FtZHFCakxFTThNWHZXQzRUY1poSDUzZXlmblJNUjIyb3hKVEVlQjZDYWJFZ3diNjNtQXlVb2JUSkdabFlvZ2NpbTZXZ3MwWnFDNllhaVR2dzNuLzEwWnhHWE5XRnNMRGhDa08vTGxqQWh2SXo0VElnN2F1UCsybXRNc2pram9IVDRDMG5QcXhGREZHanVRRHJpblRDZU1ZRGtnVTBhRTZtMzNnRGp2UEZDbGNqTEc4bTd4REtKbmwzTDNsVCs1eUNJSTNvY2NqaGxpTGVlN3JzSklkeFFaeEd3aDB0RUtmSThtdGYxbzlOSnllMEc1UnpXOTdiOXk5T0hEaVloTWNtalFHVHA5ZE54a0h2cU9qak9QbkdBL1FYZDcwYWVHVy9PT25MUjdBdkRzS1owbENrZDN6dFh6eVVLZ0VwQWRHK2FSbkNsT1JodG9xZXJwN1VxUHJvTmRGdHVNWStnOTlyWU9XS0RxSEo0ZFBBK3lRTkFRTHVBNTBLMU5RMHgzbEdlSlpaaTQraCthN1RRdDF4UVNqODBWVk4zR0VJc1I3WE02RXRNa0JLa2h0NjZoS1pQejJpT29mSVl1YUl0QkJiUWRZN3RXTW9LMElUL2ttbVMrK25MSmJiOUh2WDdqMGxvVWhqVFdocHF1MDQzcHRVeVBvWlVEaEVicmVsVzJldW9kc2ZuNHhoN1A1VUlaR2FNVU5HZ2k1bnF6a2p6MXVzaDEzU3huN0g1NTdZeGlZV2p2TmVJWmd6ZGJWK0dKdERDczBoVm0xZzhpbDh2MnEyazViLzlRZWh1NVVpTFNVZ3AvYVp6d1hOL0xkajQyVWxpWHM4TWRPOHVRVFRnZzZDb0dEbVcvaGJZZU1BV3NFelBlUGliRENmU0t0c0gzTlNGWWRUU0hFdjJYUU0zOEkvL2JpTlR1VWhSNzYxT0U5Qy9ndVFmd1lnbkRJZ05uV0NPUTdYRXRqSHZ2SDM2OUZiSEtnNlpwVmlzRWlEMk1qYnpCbEJsTm5FTFFBU3dQOVVBME1iWVQ2L0xuS3hYTnJXTDRwYWs5WjA0R3FBTm0ydTVxcFp5WGZFZzVGWXdUODVHbUpmSW9JQ2lCSk1JeHE0bXlwdTZ4dWRPdnhPeVVCZFE2enQ0dDR4MHp0TWQ3KzlNN3YzdjNjTVZOVFh0WG9NUEZLL1NKQWRaSGVxb2ZIS0FtcEJiaWV2ODhWL05XaVR5SVVUT1c3bkxGdWpSYUtPODZmWnB5c01kKyt5Q0crcEJDZyswZFY5d3RuYjhkdnl5d2hENkoxTExoelQydGZhUU5mWHZ3VUw1d255M3R3Zkd6M3NhV1A2YkYrSmpZd000SlltYjdEbUNySTZML3M5WlJ1TWlGclRFa3JqNUJ0T2oyckpObFlwZ1NWZ2Z2WWtLWDhmZFVhdWczRWRzVktheThkNzRwUE11S3gza0g3N0ZWbktUdWNiTEdSS1AyU1FuT1RvbE1ZTHNlQUhOK2phUkNpODJldTRFVzBxbWNmYjJNM2JjNVBzd0s3UUVQSWVnYW02Sm5jMFhOeUVPU2NWU1hmUUZEU3FGME1jSkVjeVUyQmIwaFgvTStNazd3SEFRUjBxa2tOQU5KYXkrbFAvQVliWVJ1dUtPWTdXRUxheHUzM0dhZ3pZeU5scWJFR1BQQnBTU2tTbCtiMXEyZHRXWGhmd3JXV052Z3lnMUQ4eVN5U2pJUXNaTEUyS1pab2RuZ2labUtqUERjd3pDMFBvcENSVXQ2ZFBZM3ExWTJjMk9Bd1BpY2NkN0YrYWlSSjdzNWpPei9BOHp5NlpLdll1ZW8xSDdoaVd2dFlJZ2YrQy9MaFFuQ0UxR21rODNzdURPQ3JQSUxPMDduOEcrMjZoenEvQ3lGKytGdHNyb29XUTErb29TanNmQWpXaDZ1QUR2N29DbmN3OFdmdjJXVk5pcGVHZU13UlJpcTFuVWFGN3BwK3dONGdsU3NVZzZ2V21GdHQ0QURFeXp3ODBMRExPNGszeXpsQURmc3pJeFc0KzNsT3FKN2loaklvSkMzRlB6djRWNXE5VWFlWjB2NWt2bk5YTmZUb3k0eG95dFROcUVTODFZYjZiK3R5R0pqZFRyai9WZ3l1dEU1b2oyN3R4YU9ObGloYzhObDlQbzZZb3ZrK3BFUU1vMEQ4SlVXNi9qL0FKUnVTT0I1MllMN1BJK3FFQXpIY0tYTXg4d3l3bEVHWEdrako5QXBoWTA4MUFyazJWclA3UEJEd2xwcENlQUtjZ1R3dTNtN0lRL1FibzFQMVhwMlB6U1hVbnI2N0xiRmFTT3ZjalNtNGlBQ3FjeXVPaDFVb0pIRGRRZWJ6UTdrWEdiQ1R6bEVPZ1NRazl5RzJMY25mOGVaVHBvRXZTbUpRNGcyTEovRkpjelBheGI5cUZXaTF0cGt2OVFrd04vTTVSVWd6QmNjNjV2ZUZQZE1ES09VRmU0UnNtV3htbFo2ZXBwQmJxVk5CbFhoQVBIWSs1aXRjWVR3eHVLUGJNRUNjcDYwc01xUEEyMDdoOWl1WVdvclRMMmNyMjQxSlBDQ3lvZVR5TDZ6MjhmbisyQXR5akxCVC8ydXpaUm9iejY4dzNDRUpLU1paQVlURG16ZWpaWXdVbmkxQ3BhM2JEcDNZcHd6ZkFIeEtSbmtwblJUS2gvUmFYVy95RElZb0U5eHQrcFBjb0kycXRLWGZpMjcxRXQ5eUMwTElvRllFQ2dQRE1GRGp2dGZlQTlnS2lpbWNiUThSSGdld3c2c1VLRS81L0VJcGlRS2t0UC9oSUtna2VHbmkxSXJHbnJYNU5aRmVlN1R0V3BlK3ozZUhCRFdJNlh4TGx6a3Y4ZzdQS1ltSkpxZzY2Unl5K1UzSlBkbk9pSkxoTWRzSmd2NDRlNm55am5VK1V5RWRpN3VGTUdoaFdOUlFSNWg0Y1JRMTB4MXMyNUdyUzhZWDlOdWVZNk5nMlAzYUJ4R2E0enZMa3YrSzA2czN3dUl2d2piSWxkdmpqdTM5di80eTlWMlo3VGdRWlFVUVMzQUd5NmFmQ296VXNnN3pFQitOZmx5U0ZwUDQ4eGY2U0NHWFcrbXZ6NVVabWlEMUErNkFlRlBmTktFd1lWZFB2OXN2aElaWlJ6cVQ4RTRNNCtaVUlxS202ZGplRHp1QmdGaEV4djNZNzZlNDd6OFhCa1p0SFV6aHptNlZPTW1rT2JualFlekdWTTBVdnlGbzVYWVZQbzhTQlo5TVBqd1NVbm9CUzB2T01Zb3BSdTBDM1BQR2NVSVFuZ1BncGF2WVRlTHpTWXZzU055WEwySnEvRUd4eWJUekYwN01Kek44VDN6SURUcE9FUjRUOGVGMEl6czVLcERSdFV6c1JLQjFwNm5RcnFmRFdTcE9VRDB1cXU1U3pPTE8vZkJrb1V5QWlWaldtMUFiNWxtSjZWMW4zRHJLazQzVVBMeTJ2MmFMWWZsMWR0QXFkSHBqY2dwaVdLQVptVCtBMU8zMFRLQlVQR3lnTlN5bW45ZGI2ZkJFQWphTG9USG9DS0QrR1RzNTgvTThpb3htM1NUd0F3K1FJUjAyV3RYTjJGM0JpQWV2Z1pGR0xRNEk3eVVvZ1RXdzh2VnFiY0pZWEZOclF2NDl0eVRBcjhRWnhpamIyM1p2Y01EM2ptcDBNbURoTGZza212T0d4WkdLeW9ERzk3b0k4cW1mbzFjQjVxMVUzSk1NSDFudEFiZTl6MWZFTVNOeVpCenVMV3QyQk9MTWU3akNQR0pYSThmKzUrcllmVGJEVlRxeldQK3lrN1pFSVF5TW9kcitoSlE2eEQ4Tm83Q255KzFpMlR0cU1wTGF5YlowUDVDRzlNQ0h6eHMwbHp6bjJiRVFyUmUxVlg5TUJ3NHVmNFFCeUZZZ1phUmN2NzdNdis1alV5QnQ0amhVd3dxdWp3eTRjL3VYdytQQU9iMHBsZ2s0SG8yUDcvUm10bmE0bnZBQWo2Rzl2cVBVS3pqTnh3RmRkRWxFb1ZERDUrK3Q3TnhhYVVXZzljRjhLRFJZU0M0enUxbXNXQXVYZFQ4aEd2Q1lmNjd4bTc1SVB1SnRtZ3FCWmpYUjg3b0NKb3h3aXZ5bzh0dHRxbUFaOFp4K0VCY1hqV2pLMzVKMzZvVFZ3U2JOcnFJYjZLbmpHbEZYSVN3clBORWkrUmtMb3RhU3lPU3ZuS251bERjM0doaEVYYXNCY3dEMElPNzNpZEk0YmlnR2F1bW9sSFF4QWVMRytVOUZycUY4dGdRT1dMenY0aHd3SlFHL2NpNE5GYmZISWpEVnM0bXM5WTdzQldUNkI1T1pNTzZyRE1wOUlsZG1Fcm1VUGE4ejU1ZVdqMDQ1YUxEQkt0Q1k5UHpXaHZXWHhqeTQ3SmxCU2ZETVBNVFhReHJ0T1B1SjRLSmo1V05xTlg3WXoxaTJMTm5weG5KbnltOWNsVTdGV1MrT2dUeTNBOWpYaTFCVXg0QjBHZzhXWUl4LzVBd0pzU0RPVC8yV0NpM09jRXhtUVRveVZrQ2p5UE55ZWNOck9GQmRQenowa1NaQjNJaFU4dW5OT1N0YytaNjdOZnF5K0kvRTlaVDczcUNCYVRJN1UxSFZxQzlsSnluUk1zbUZmMUdvbGNROG5DbXZvK0tPVTVtVkVzL2xvQThIZ3pWZWVNR043SkxaOFhJcUVkbnp5NHQyNlNRbTlobVY2ZDRiS2ZjQmk0MG9XNGZRUFdZRG1pWlorR1MrTDhuSnlYdzNBWkRIWkdKWEhFci85S096RFF0OVU0WVdpYS9NMTIrbFNyWmd5QmlrdWxnbnBBYmU0ZERpMUZMQTZMMUQzQjBIUlozRUdHamRRbng1R1hFZXhnNG9CVlQzS2dRbmpweXJrN0YzR0tQOUhGdnFLTUZ6VWJoL2RCV3k5bjRWc2JXUFlkSDdsSDFyVUg0YzdwN0lrWGc0VlREOE11MzV3b3ZORkErWkVBYmR3Z3o2dTR6NXZpZzhIcHNiUVpNVXZFVy91VE83cVU4UW56Z1o1NHRHcGl2YyszbnBhYnhSUTZSMDNpMHZYdDZCb0JJckFBMndxMmxzMTVSTXhleFZWczdYT25ORDRlcHFoMUJzR2pROC91ejZya1dRNVJFenNCeERxbXpZSTA1UXhYZlducUM2WVloWXpON1FQUzh0SGpYbGxsN0VzKzhVYzhzTytjRkE3REM3Y0hRbVZGaVpXN1NZYmFtTmFHc2FpY2VYTHE4Q3YveDJIZ21oUzYveU1qUFVFVkhoOTVZdHdhc25kT0p5NGdBbUlEWkh0d2RsOWxXY1ZDMDl4MUlBakt5UWlpQjRPLy9DcG9qZjFOUmNiUWF3VVBKMGI5ZXJyWDNFVWM3cU5Vc2NGMlpubXZVVThxM1g2UFVpb2p5TDVGMUFNdWJzcThuOTFmaG5FUmwrY2syQUJWYm9yeEhORlpSVXgvVlNYNHRMZzROUG1VcmhlalNoNXJZUkl6S3Q5OG9PNTBsTlEraS9RVkZUbmt6Ym9SUkkrS0NTM1o1bzJZZ0hlOGx2ZGhDeHYxZ3hjVGhRM21pd2dIeDdmR09LV1Myc2psSkxYanMxbm9raVowTEZ0NTIxaWYzKzFSYVZlRHpCU1hYRFFZVCtwbEI1S0M2L0ZOZEpDWW9mZGVTY0gwK0lHN2FyeWRyOUhUOU5SMXNHczZnc2JYQnNnWnViNXFKVmYzSisvQ3kra2FCYzByTEtyZ3UzZmlGUG1uMDdhWGdtK2xRVjBPVlVkaWVoNm5vQ0oxcHczT2VNdWJ0TU9rcmQyUWRFNEQ3T1ZoVithdUM5b1pIc09uQXhDYnZoYXovTTZYOEFaNXducHUvZVdwdDZ2WHBhWHpXVklJcVBET0NFMnRCSTcrNlNmTHdjVXFlYU5ZSVhtUlRwNnRUOGhhcDduZXpDZldqUGZxU2ZMVGljaFpEU1dlR2hYTXZWNTRCODJ2eWJoM1NBNXZCZDdwRnkzWTlxYnNCaHZDbHRKWmwzK044OXNnbTNJWElyeU5MT3JmL3VUMVJ0NDRrVDNleFM5N3FCWVpteGZXZW5PeUxqOHAxZGJlSjd6MlFxeE1xZXRia3FOUHBucnduMUFMV3VkSU5ZOGhLYnJYS0RDQmhWMmNQTkg3VWdTcnZYVFV2T1UxRnVyQ0FGRThSa09vcWxobUZ4SXRRUHUzNWd4MWFqaVFBTkMxQllTdlkvZzZyL2lLMHRlekFoRGNtaW4xVWF3Qk1qMkZHK2M4ZXdCYzVVbzN6ZUNIdERYVnlsSlY3UUdGVGZZR0JOWmlKUXJkYnFXRmEra01tdjRJUWYzSjY5bjBEeVNwRTJVY0h5dlFKQ3d0czlUN3NMU2h6WWFNVFVKUUFmOHhwcjBXKzVac3NHMjhJcXFsSTNkbUFpM0dQa2REblE3c0ZiNXBWSVVFVHRUQm9kMEp3K0U1UGgvY0Evbk9FbHpRYXRXUmUxWCs3NFl0bzdZSWJBRW56NW1YSGlva1hnTkVzbEdUWXhzWUo5QVBWOSt4WjVKTk1VWFl0OGhrVHBwaFBzN0FlazFpOXhsMW5sbm5FYnY0M3hnM2VMYTRySDBBcy8wTE9GK01yV2Z0aDBoWnQxanJCb05ycmNHOG1WWVJyd29YaXFIS3NSZTRVYTQ4a0YvRXVRWFZKeUZPV05KNUJjYW9xOSswa3lJdnVoeVhxNS9UL0tJTG12cFpTMzZINHJ1bFJhRm1Hb29sejBtaUl4V2FrdHFpUjF1VjhYaWtiekZFUzR2cGV5NHVKMWVBZjUyRCszL2NLY0V6V2E2KzU2VGRFQ0VKQWExWDl2Ni83UzFDZlBxaVkwN1lNMXZXdXNHcEhPQ0FSTFBDWGZ5V2ZXQytVSThPM1FkSEhRaC9XNXpzZ3RFWnVhYWhkWk9lY2VsQmtnS0NIZ1o4NTFpN2IvY25EN2VsRHlCVGJuNHFKRWhSWVRLWUNRZW82SEpFd1N5b3NhOVJrU0lpQklBaGVHaTlSRWJYY2xMY1JnR3FoMXp5Qi9JUHFmMUtXOXFMbzhzaU9wRUlUU3BOeks3NSttMlc0L2c4TjJLTGgvb1MyeGEyTXZGU0pTemdZZmpwYjlOK3pVeE5XR0xjZDVQR2J6STdkYW4yY2tKSmE2UkhLRG1WTWtqYW1ZTHh6M0ZKK29SdUFhTzFpcjMzWGViSGV6ZHErQjRKT2FweVhleGs4M1hIbG1kS211UTg1aWdqRmZPVElHMmFJc2FXcTdDL0ppZmdyK0pqdVRoSm55TVdyYkNSRTV2VkZ0MEdJYWlvR1NsYktIM1RYUnhaK0tXdXozZ3ErWXIzSWNrT1RIRUgwR0FERy9pc2lQSWV4bHJHNmRZaW43V20vUGVkRGVzd0t5TFlwVFMxejNzVGVTSXRFbXpZSERNRURzS0FsNVh5anZOalJvNzg5OHVhRW5pMWIraWpCc2p5b01EY0RFaHcxZzhseWpIZldrSjRwRitIWGpuMzJBak9qb0ZuNVIrcWM1ZWpsTVVxV0N1OUU0UWJTZWtWbmcwSW02OG9naWF5WVVDQTlZQklSd0Y5b3l2REZ5WGRJblhFOFFsZDRkYks2dUpwM2xzbERkclNWczBZQTdxRnBQY0MrWWdFZnBEa2NraXVjR2RINTFWaHYrMmJNWEpabmdNMTU0Sm0rcUJ4MGhOd1R0K1AyMGZ6ZlpueDh2TEM5c3RxZUxPVm9lNFhlZzhQS01TdFQ1ei9yRGQrZk1nTVB2MHd5bWVybEM5ajJ4L0tMYnRTQmtNa0hkTXZjWVY0cjhJNkFCV0tvNE50QmhTYk8wdUcreDUwbjdkOTFhb1R1ZmhrM3plajV1dEM0ZElGRmdFMkZXMmdvcldzSTBBT0huVXJadlgrYmJxYmFZUFMyT05XSW9wcW1hVVUrVXZPUzcwM2Q4WWtjSGFyaTdFREE1dVFKVG5xT1I1YkpieFk3U0hjWEVmMFZFeldpcGgrL0FKMmYvSzJUVUhoNjZZMnpqdnM4cHdKZURKRUQ0U080OEZHMEtOTjk3UzN5NEJMdz09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWREYXRhPjwvc2FtbDI6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==' } + }, function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should return a 400', function(){ + expect(r.statusCode) + .to.equal(400); + }); + + it('should be recognized as an invalid xml', function(){ + var err = JSON.parse(bod); + expect(err.message) + .to.equal('SAMLResponse should be a valid xml'); + }); + }); + describe('SAMLResponse with utf8 chars', function () { var user, r, bod, $; diff --git a/test/wsfed.tests.js b/test/wsfed.tests.js index 4875df9..7a8325e 100644 --- a/test/wsfed.tests.js +++ b/test/wsfed.tests.js @@ -7,7 +7,7 @@ describe('wsfed', function () { before(function (done) { server.start(done); }); - + after(function (done) { server.close(done); }); @@ -17,7 +17,7 @@ describe('wsfed', function () { before(function (done) { request.get({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5050/login?wa=wsignin1.0&wtrealm=urn:fixture-test' }, function (err, response, b){ if(err) return done(err); @@ -30,7 +30,7 @@ describe('wsfed', function () { var wa = $('input[name="wa"]').attr('value'); request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5050/callback', form: { wresult: wresult, wa: wa } }, function(err, response, body) { @@ -85,7 +85,7 @@ describe('wsfed', function () { before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5050/callback' }, function(err, response, body) { if(err) return done(err); @@ -106,7 +106,7 @@ describe('wsfed', function () { before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5050/callback', form: { wresult: 'foo' } }, function(err, response, body) { @@ -122,4 +122,33 @@ describe('wsfed', function () { .to.equal(400); }); }); -}); \ No newline at end of file + + describe('invalid wresult (xml) in POST', function () { + var user, r, bod, $; + + before(function (done) { + request.post({ + jar: request.jar(), + uri: 'http://localhost:5050/callback/wresult-with-invalid-xml', + form: { wresult: 'urn:fixture-test12345678urn:oasis:names:tc:SAML:1.0:cm:bearer12345678jfoo@gmail.comJohn FooJohnFoo12345678urn:oasis:names:tc:SAML:1.0:cm:bearerfxxeOWyp3M3cVfglUEg0Fc0mVAm7QVCyrSX2Kflq8VE=ETv7SqrEoHYP1FTLcdylyDZotyJ1uuNNCLo6sw4cm4YAnGz/OYUIssUb0s82C3NCfV5ifvryr5khnZCNfRvEWJPsIZAtaSPHeeO+x3ajIDd/qfklNBHpdEYMP2WbcqPA6pYeh+OHgAlG6srsLDO8fMymUa/T8yACIU7cwnouEaYESWRU2fqKOXpeUxB/pENiY+qxPTvxzRYld5OlR+sNAJFPIvl3V5G+vw0mx+7tZteKq7yX0djpwEoFfXAcMzvLoqLqENjxPanmVPv7qvv7dIdI0kPE6jret50sHkHpQ7XZJmGi6cNc+/kvhSHXhD3vJ0u3BP/qCCPYPHz42z+KIw==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=' } + }, + function(err, response, body) { + if(err) return done(err); + r = response; + bod = body; + done(); + }); + }); + + it('should return a 400', function(){ + expect(r.statusCode) + .to.equal(400); + }); + + it('should be recognized as an invalid xml', function(){ + var err = JSON.parse(bod); + expect(err.message) + .to.equal('wresult should be a valid xml');; + }); + }); +}); From 99ae83707f9c714c3af6688cfe4a20c3b0549496 Mon Sep 17 00:00:00 2001 From: Sandrino Di Mattia Date: Wed, 24 May 2017 21:16:25 +0200 Subject: [PATCH 194/203] Indentation to spaces --- .../errors/AuthenticationFailedError.js | 2 +- lib/passport-wsfed-saml2/saml.js | 6 +- lib/passport-wsfed-saml2/samlp.js | 8 +- lib/passport-wsfed-saml2/strategy.js | 38 +- lib/passport-wsfed-saml2/utils.js | 36 +- test/saml11.tests.js | 2 +- test/saml20.tests.js | 8 +- test/samlp.tests.js | 6 +- test/utils.js | 2 +- test/wsfed.tests.js | 6 +- yarn.lock | 562 ++++++++++++++++++ 11 files changed, 619 insertions(+), 57 deletions(-) create mode 100644 yarn.lock diff --git a/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js b/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js index 1cb8737..cd1ebdd 100644 --- a/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js +++ b/lib/passport-wsfed-saml2/errors/AuthenticationFailedError.js @@ -10,4 +10,4 @@ function AuthenticationFailedError (message, detail, status) { AuthenticationFailedError.prototype = Object.create(Error.prototype); AuthenticationFailedError.prototype.constructor = AuthenticationFailedError; -module.exports = AuthenticationFailedError; \ No newline at end of file +module.exports = AuthenticationFailedError; diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 06e69d1..dce5ffc 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -33,7 +33,7 @@ SAML.prototype.certToPEM = function (cert) { SAML.prototype.validateSignature = function (xml, options, callback) { var self = this; - xml = utils.parseSamlResponse(xml); + xml = utils.parseSamlResponse(xml); var signaturePath = this.options.signaturePath || options.signaturePath; var signature = xpath.select(signaturePath, xml)[0]; @@ -247,7 +247,7 @@ SAML.prototype.parseAttributes = function (samlAssertion, version) { SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) { var self = this; - samlAssertion = utils.parseSamlAssertion(samlAssertion); + samlAssertion = utils.parseSamlAssertion(samlAssertion); self.validateSignature(samlAssertion, { cert: self.options.cert, @@ -265,7 +265,7 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { samlAssertion = self.options.extractSAMLAssertion(samlAssertion); } - samlAssertion = utils.parseSamlAssertion(samlAssertion); + samlAssertion = utils.parseSamlAssertion(samlAssertion); if (!samlAssertion.getAttribute) samlAssertion = samlAssertion.documentElement; diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 5642c45..caac1f4 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -202,13 +202,13 @@ Samlp.prototype = { }, extractAssertion: function(samlpResponse, callback) { - samlpResponse = utils.parseSamlResponse(samlpResponse); + samlpResponse = utils.parseSamlResponse(samlpResponse); var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion'; var done = function (err, assertion) { if (err) { return callback(err); } - assertion = utils.parseSamlAssertion(assertion); + assertion = utils.parseSamlAssertion(assertion); // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion if (assertion && assertion.prefix && !assertion.getAttributeNS(saml2Namespace, assertion.prefix)) { @@ -252,7 +252,7 @@ Samlp.prototype = { getSamlStatus: function (samlResponse) { var status = {}; - samlResponse = utils.parseSamlResponse(samlResponse); + samlResponse = utils.parseSamlResponse(samlResponse); // status code var statusCodeXml = xpath.select("//*[local-name(.)='Status']/*[local-name(.)='StatusCode']", samlResponse)[0]; @@ -283,7 +283,7 @@ Samlp.prototype = { validateSamlResponse: function (samlResponse, callback) { var self = this; - samlResponse = utils.parseSamlResponse(samlResponse); + samlResponse = utils.parseSamlResponse(samlResponse); // check status var samlStatus = self.getSamlStatus(samlResponse); diff --git a/lib/passport-wsfed-saml2/strategy.js b/lib/passport-wsfed-saml2/strategy.js index 8300806..63342c1 100644 --- a/lib/passport-wsfed-saml2/strategy.js +++ b/lib/passport-wsfed-saml2/strategy.js @@ -204,25 +204,25 @@ WsFedSaml2Strategy.prototype.authenticate = function (req, opts) { return self.fail('SAMLResponse should be a valid xml', 400); } - var samlResponseDom = utils.parseSamlResponse(samlResponse); - self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { - if (err) return self.fail(err, err.status || 400); - - var verified = function (err, user, info) { - if (err) return self.error(err); - if (!user) return self.fail(info); - - info = info || {}; - if (state) { info.state = state; } - self.success(user, info); - }; - - if (self._passReqToCallback) { - self._verify(req, profile, verified); - } else { - self._verify(profile, verified); - } - }); + var samlResponseDom = utils.parseSamlResponse(samlResponse); + self._samlp.validateSamlResponse(samlResponseDom, function (err, profile) { + if (err) return self.fail(err, err.status || 400); + + var verified = function (err, user, info) { + if (err) return self.error(err); + if (!user) return self.fail(info); + + info = info || {}; + if (state) { info.state = state; } + self.success(user, info); + }; + + if (self._passReqToCallback) { + self._verify(req, profile, verified); + } else { + self._verify(profile, verified); + } + }); }; verifyState(req.body.RelayState, loaded); diff --git a/lib/passport-wsfed-saml2/utils.js b/lib/passport-wsfed-saml2/utils.js index f9e99d8..060baa3 100644 --- a/lib/passport-wsfed-saml2/utils.js +++ b/lib/passport-wsfed-saml2/utils.js @@ -6,36 +6,36 @@ var WSFederationResultParserError = require('./errors/WSFederationResultParserEr exports.parseSamlAssertion = function(xml) { if (typeof xml === 'string') { - try { - return new xmldom.DOMParser().parseFromString(xml); - } catch (e) { - throw new SamlAssertionParserError('SAML Assertion should be a valid xml', e); - } + try { + return new xmldom.DOMParser().parseFromString(xml); + } catch (e) { + throw new SamlAssertionParserError('SAML Assertion should be a valid xml', e); + } } - return xml; + return xml; } exports.parseSamlResponse = function(xml) { if (typeof xml === 'string') { - try { - return new xmldom.DOMParser().parseFromString(xml); - } catch (e) { - throw new SamlResponseParserError('SAMLResponse should be a valid xml', e); - } + try { + return new xmldom.DOMParser().parseFromString(xml); + } catch (e) { + throw new SamlResponseParserError('SAMLResponse should be a valid xml', e); + } } - return xml; + return xml; } exports.parseWsFedResponse = function(xml) { if (typeof xml === 'string') { - try { - return new xmldom.DOMParser().parseFromString(xml); - } catch (e) { - throw new WSFederationResultParserError('wresult should be a valid xml', e); - } + try { + return new xmldom.DOMParser().parseFromString(xml); + } catch (e) { + throw new WSFederationResultParserError('wresult should be a valid xml', e); + } } - return xml; + return xml; } diff --git a/test/saml11.tests.js b/test/saml11.tests.js index 19a8b12..43a0e3d 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -65,7 +65,7 @@ describe('saml 1.1 assertion', function () { var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { if (error) return done(error); - + assert.ok(profile); assert.equal('вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); assert.equal('сообщить вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); diff --git a/test/saml20.tests.js b/test/saml20.tests.js index ab8fe0c..8d91724 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -76,7 +76,7 @@ describe('saml 2.0 assertion', function () { should.exists(err); err.message.should.equal('assertion has expired.'); should.not.exists(profile); - + done(); }); @@ -104,15 +104,15 @@ describe('saml 2.0 assertion', function () { var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { if (error) return done(error); - + assert.ok(profile); assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', profile['http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod']); - + done(); }); }); - + }); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index f253bcf..6cda1de 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -144,8 +144,8 @@ describe('samlp (functional tests)', function () { }); }); - describe('SAMLResponse with invalid XML', function() { - var user, r, bod, $; + describe('SAMLResponse with invalid XML', function() { + var user, r, bod, $; before(function (done) { request.post({ @@ -170,7 +170,7 @@ describe('samlp (functional tests)', function () { expect(err.message) .to.equal('SAMLResponse should be a valid xml'); }); - }); + }); describe('SAMLResponse with utf8 chars', function () { var user, r, bod, $; diff --git a/test/utils.js b/test/utils.js index e09fe6b..95bb7c6 100644 --- a/test/utils.js +++ b/test/utils.js @@ -1,7 +1,7 @@ var xmlCrypto = require('xml-crypto'), crypto = require('crypto'), xmldom = require('xmldom'); - + exports.isValidSignature = function(assertion, cert) { var doc = new xmldom.DOMParser().parseFromString(assertion); var signature = xmlCrypto.xpath(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; diff --git a/test/wsfed.tests.js b/test/wsfed.tests.js index 7a8325e..1950079 100644 --- a/test/wsfed.tests.js +++ b/test/wsfed.tests.js @@ -130,9 +130,9 @@ describe('wsfed', function () { request.post({ jar: request.jar(), uri: 'http://localhost:5050/callback/wresult-with-invalid-xml', - form: { wresult: 'urn:fixture-test12345678urn:oasis:names:tc:SAML:1.0:cm:bearer12345678jfoo@gmail.comJohn FooJohnFoo12345678urn:oasis:names:tc:SAML:1.0:cm:bearerfxxeOWyp3M3cVfglUEg0Fc0mVAm7QVCyrSX2Kflq8VE=ETv7SqrEoHYP1FTLcdylyDZotyJ1uuNNCLo6sw4cm4YAnGz/OYUIssUb0s82C3NCfV5ifvryr5khnZCNfRvEWJPsIZAtaSPHeeO+x3ajIDd/qfklNBHpdEYMP2WbcqPA6pYeh+OHgAlG6srsLDO8fMymUa/T8yACIU7cwnouEaYESWRU2fqKOXpeUxB/pENiY+qxPTvxzRYld5OlR+sNAJFPIvl3V5G+vw0mx+7tZteKq7yX0djpwEoFfXAcMzvLoqLqENjxPanmVPv7qvv7dIdI0kPE6jret50sHkHpQ7XZJmGi6cNc+/kvhSHXhD3vJ0u3BP/qCCPYPHz42z+KIw==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=' } - }, - function(err, response, body) { + form: { wresult: 'urn:fixture-test12345678urn:oasis:names:tc:SAML:1.0:cm:bearer12345678jfoo@gmail.comJohn FooJohnFoo12345678urn:oasis:names:tc:SAML:1.0:cm:bearerfxxeOWyp3M3cVfglUEg0Fc0mVAm7QVCyrSX2Kflq8VE=ETv7SqrEoHYP1FTLcdylyDZotyJ1uuNNCLo6sw4cm4YAnGz/OYUIssUb0s82C3NCfV5ifvryr5khnZCNfRvEWJPsIZAtaSPHeeO+x3ajIDd/qfklNBHpdEYMP2WbcqPA6pYeh+OHgAlG6srsLDO8fMymUa/T8yACIU7cwnouEaYESWRU2fqKOXpeUxB/pENiY+qxPTvxzRYld5OlR+sNAJFPIvl3V5G+vw0mx+7tZteKq7yX0djpwEoFfXAcMzvLoqLqENjxPanmVPv7qvv7dIdI0kPE6jret50sHkHpQ7XZJmGi6cNc+/kvhSHXhD3vJ0u3BP/qCCPYPHz42z+KIw==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=' } + }, + function(err, response, body) { if(err) return done(err); r = response; bod = body; diff --git a/yarn.lock b/yarn.lock new file mode 100644 index 0000000..d872c28 --- /dev/null +++ b/yarn.lock @@ -0,0 +1,562 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + +assertion-error@1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/assertion-error/-/assertion-error-1.0.0.tgz#c7f85438fdd466bc7ca16ab90c81513797a5d23b" + +async@^2.1.5: + version "2.4.1" + resolved "https://registry.yarnpkg.com/async/-/async-2.4.1.tgz#62a56b279c98a11d0987096a01cc3eeb8eb7bbd7" + dependencies: + lodash "^4.14.0" + +async@~0.2.7: + version "0.2.10" + resolved "https://registry.yarnpkg.com/async/-/async-0.2.10.tgz#b6bbe0b0674b9d719708ca38de8c237cb526c3d1" + +base64url@2.0.0, base64url@^2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/base64url/-/base64url-2.0.0.tgz#eac16e03ea1438eff9423d69baa36262ed1f70bb" + +boolbase@~1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/boolbase/-/boolbase-1.0.0.tgz#68dff5fbe60c51eb37725ea9e3ed310dcc1e776e" + +boom@0.4.x: + version "0.4.2" + resolved "https://registry.yarnpkg.com/boom/-/boom-0.4.2.tgz#7a636e9ded4efcefb19cef4947a3c67dfaee911b" + dependencies: + hoek "0.9.x" + +buffer-crc32@0.1.1: + version "0.1.1" + resolved "https://registry.yarnpkg.com/buffer-crc32/-/buffer-crc32-0.1.1.tgz#7e110dc9953908ab7c32acdc70c9f945b1cbc526" + +buffer-crc32@~0.2.1: + version "0.2.13" + resolved "https://registry.yarnpkg.com/buffer-crc32/-/buffer-crc32-0.2.13.tgz#0d333e3f00eac50aa1454abd30ef8c2a5d9a7242" + +buffer-equal-constant-time@1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz#f8e71132f7ffe6e01a5c9697a4c6f3e48d5cc819" + +bytes@0.2.0: + version "0.2.0" + resolved "https://registry.yarnpkg.com/bytes/-/bytes-0.2.0.tgz#aad33ec14e3dc2ca74e8e7d451f9ba053ad4f7a0" + +chai-passport-strategy@1.x.x: + version "1.0.0" + resolved "https://registry.yarnpkg.com/chai-passport-strategy/-/chai-passport-strategy-1.0.0.tgz#b8ed610460455aa2e6f4f66858a426b792556481" + +chai@2.x.x: + version "2.3.0" + resolved "https://registry.yarnpkg.com/chai/-/chai-2.3.0.tgz#8a2f6a34748da801090fd73287b2aa739a4e909a" + dependencies: + assertion-error "1.0.0" + deep-eql "0.1.3" + +cheerio@~0.19.0: + version "0.19.0" + resolved "https://registry.yarnpkg.com/cheerio/-/cheerio-0.19.0.tgz#772e7015f2ee29965096d71ea4175b75ab354925" + dependencies: + css-select "~1.0.0" + dom-serializer "~0.1.0" + entities "~1.1.1" + htmlparser2 "~3.8.1" + lodash "^3.2.0" + +combined-stream@~0.0.4: + version "0.0.7" + resolved "https://registry.yarnpkg.com/combined-stream/-/combined-stream-0.0.7.tgz#0137e657baa5a7541c57ac37ac5fc07d73b4dc1f" + dependencies: + delayed-stream "0.0.5" + +commander@0.6.1: + version "0.6.1" + resolved "https://registry.yarnpkg.com/commander/-/commander-0.6.1.tgz#fa68a14f6a945d54dbbe50d8cdb3320e9e3b1a06" + +connect@2.7.5: + version "2.7.5" + resolved "https://registry.yarnpkg.com/connect/-/connect-2.7.5.tgz#139111b4b03f0533a524927a88a646ae467b2c02" + dependencies: + buffer-crc32 "0.1.1" + bytes "0.2.0" + cookie "0.0.5" + cookie-signature "1.0.0" + debug "*" + formidable "1.0.11" + fresh "0.1.0" + pause "0.0.1" + qs "0.5.1" + send "0.1.0" + +cookie-signature@1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.0.tgz#0044f332ac623df851c914e88eacc57f0c9704fe" + +cookie@0.0.5: + version "0.0.5" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.0.5.tgz#f9acf9db57eb7568c9fcc596256b7bb22e307c81" + +core-util-is@~1.0.0: + version "1.0.2" + resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7" + +cryptiles@~0.2.2: + version "0.2.2" + resolved "https://registry.yarnpkg.com/cryptiles/-/cryptiles-0.2.2.tgz#ed91ff1f17ad13d3748288594f8a48a0d26f325c" + dependencies: + boom "0.4.x" + +css-select@~1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/css-select/-/css-select-1.0.0.tgz#b1121ca51848dd264e2244d058cee254deeb44b0" + dependencies: + boolbase "~1.0.0" + css-what "1.0" + domutils "1.4" + nth-check "~1.0.0" + +css-what@1.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/css-what/-/css-what-1.0.0.tgz#d7cc2df45180666f99d2b14462639469e00f736c" + +debug@*: + version "2.6.8" + resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.8.tgz#e731531ca2ede27d188222427da17821d68ff4fc" + dependencies: + ms "2.0.0" + +deep-eql@0.1.3: + version "0.1.3" + resolved "https://registry.yarnpkg.com/deep-eql/-/deep-eql-0.1.3.tgz#ef558acab8de25206cd713906d74e56930eb69f2" + dependencies: + type-detect "0.1.1" + +delayed-stream@0.0.5: + version "0.0.5" + resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-0.0.5.tgz#d4b1f43a93e8296dfe02694f4680bc37a313c73f" + +diff@1.0.2: + version "1.0.2" + resolved "https://registry.yarnpkg.com/diff/-/diff-1.0.2.tgz#4ae73f1aee8d6fcf484f1a1ce77ce651d9b7f0c9" + +dom-serializer@0, dom-serializer@~0.1.0: + version "0.1.0" + resolved "https://registry.yarnpkg.com/dom-serializer/-/dom-serializer-0.1.0.tgz#073c697546ce0780ce23be4a28e293e40bc30c82" + dependencies: + domelementtype "~1.1.1" + entities "~1.1.1" + +domelementtype@1, domelementtype@~1.1.1: + version "1.1.3" + resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.1.3.tgz#bd28773e2642881aec51544924299c5cd822185b" + +domhandler@2.3: + version "2.3.0" + resolved "https://registry.yarnpkg.com/domhandler/-/domhandler-2.3.0.tgz#2de59a0822d5027fabff6f032c2b25a2a8abe738" + dependencies: + domelementtype "1" + +domutils@1.4: + version "1.4.3" + resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.4.3.tgz#0865513796c6b306031850e175516baf80b72a6f" + dependencies: + domelementtype "1" + +domutils@1.5: + version "1.5.1" + resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.5.1.tgz#dcd8488a26f563d61079e48c9f7b7e32373682cf" + dependencies: + dom-serializer "0" + domelementtype "1" + +ecdsa-sig-formatter@1.0.9: + version "1.0.9" + resolved "https://registry.yarnpkg.com/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.9.tgz#4bc926274ec3b5abb5016e7e1d60921ac262b2a1" + dependencies: + base64url "^2.0.0" + safe-buffer "^5.0.1" + +ejs@2.5.5: + version "2.5.5" + resolved "https://registry.yarnpkg.com/ejs/-/ejs-2.5.5.tgz#6ef4e954ea7dcf54f66aad2fe7aa421932d9ed77" + +ejs@^2.5.6: + version "2.5.6" + resolved "https://registry.yarnpkg.com/ejs/-/ejs-2.5.6.tgz#479636bfa3fe3b1debd52087f0acb204b4f19c88" + +ejs@~0.8.3: + version "0.8.8" + resolved "https://registry.yarnpkg.com/ejs/-/ejs-0.8.8.tgz#ffdc56dcc35d02926dd50ad13439bbc54061d598" + +entities@1.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/entities/-/entities-1.0.0.tgz#b2987aa3821347fcde642b24fdfc9e4fb712bf26" + +entities@~1.1.1: + version "1.1.1" + resolved "https://registry.yarnpkg.com/entities/-/entities-1.1.1.tgz#6e5c2d0a5621b5dadaecef80b90edfb5cd7772f0" + +express@~3.1.0: + version "3.1.2" + resolved "https://registry.yarnpkg.com/express/-/express-3.1.2.tgz#52a02c8db8f22bbfa0d7478d847cd45161f985f7" + dependencies: + buffer-crc32 "~0.2.1" + commander "0.6.1" + connect "2.7.5" + cookie "0.0.5" + cookie-signature "1.0.0" + debug "*" + fresh "0.1.0" + methods "0.0.1" + mkdirp "~0.3.4" + range-parser "0.0.4" + send "0.1.0" + +foreach@~2.0.1: + version "2.0.5" + resolved "https://registry.yarnpkg.com/foreach/-/foreach-2.0.5.tgz#0bee005018aeb260d0a3af3ae658dd0136ec1b99" + +form-data@~0.0.3: + version "0.0.10" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-0.0.10.tgz#db345a5378d86aeeb1ed5d553b869ac192d2f5ed" + dependencies: + async "~0.2.7" + combined-stream "~0.0.4" + mime "~1.2.2" + +formidable@1.0.11: + version "1.0.11" + resolved "https://registry.yarnpkg.com/formidable/-/formidable-1.0.11.tgz#68f63325a035e644b6f7bb3d11243b9761de1b30" + +fresh@0.1.0: + version "0.1.0" + resolved "https://registry.yarnpkg.com/fresh/-/fresh-0.1.0.tgz#03e4b0178424e4c2d5d19a54d8814cdc97934850" + +growl@1.7.x: + version "1.7.0" + resolved "https://registry.yarnpkg.com/growl/-/growl-1.7.0.tgz#de2d66136d002e112ba70f3f10c31cf7c350b2da" + +hoek@0.9.x: + version "0.9.1" + resolved "https://registry.yarnpkg.com/hoek/-/hoek-0.9.1.tgz#3d322462badf07716ea7eb85baf88079cddce505" + +htmlparser2@~3.8.1: + version "3.8.3" + resolved "https://registry.yarnpkg.com/htmlparser2/-/htmlparser2-3.8.3.tgz#996c28b191516a8be86501a7d79757e5c70c1068" + dependencies: + domelementtype "1" + domhandler "2.3" + domutils "1.5" + entities "1.0" + readable-stream "1.1" + +indexof@~0.0.1: + version "0.0.1" + resolved "https://registry.yarnpkg.com/indexof/-/indexof-0.0.1.tgz#82dc336d232b9062179d05ab3293a66059fd435d" + +inherits@~2.0.1: + version "2.0.3" + resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.3.tgz#633c2c83e3da42a502f52466022480f4208261de" + +is-object@~0.1.2: + version "0.1.2" + resolved "https://registry.yarnpkg.com/is-object/-/is-object-0.1.2.tgz#00efbc08816c33cfc4ac8251d132e10dc65098d7" + +is@~0.2.6: + version "0.2.7" + resolved "https://registry.yarnpkg.com/is/-/is-0.2.7.tgz#3b34a2c48f359972f35042849193ae7264b63562" + +isarray@0.0.1: + version "0.0.1" + resolved "https://registry.yarnpkg.com/isarray/-/isarray-0.0.1.tgz#8a18acfca9a8f4177e09abfc6038939b05d1eedf" + +jade@0.26.3: + version "0.26.3" + resolved "https://registry.yarnpkg.com/jade/-/jade-0.26.3.tgz#8f10d7977d8d79f2f6ff862a81b0513ccb25686c" + dependencies: + commander "0.6.1" + mkdirp "0.3.0" + +jsonwebtoken@~5.0.4: + version "5.0.5" + resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-5.0.5.tgz#6592cc05ee03dd5ad9e03a910911a4da79afe0f8" + dependencies: + jws "^3.0.0" + +jwa@^1.1.4: + version "1.1.5" + resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.1.5.tgz#a0552ce0220742cd52e153774a32905c30e756e5" + dependencies: + base64url "2.0.0" + buffer-equal-constant-time "1.0.1" + ecdsa-sig-formatter "1.0.9" + safe-buffer "^5.0.1" + +jws@^3.0.0: + version "3.1.4" + resolved "https://registry.yarnpkg.com/jws/-/jws-3.1.4.tgz#f9e8b9338e8a847277d6444b1464f61880e050a2" + dependencies: + base64url "^2.0.0" + jwa "^1.1.4" + safe-buffer "^5.0.1" + +lodash@^3.2.0: + version "3.10.1" + resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6" + +lodash@^4.14.0: + version "4.17.4" + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.4.tgz#78203a4d1c328ae1d86dca6460e369b57f4055ae" + +methods@0.0.1: + version "0.0.1" + resolved "https://registry.yarnpkg.com/methods/-/methods-0.0.1.tgz#277c90f8bef39709645a8371c51c3b6c648e068c" + +mime@1.2.6: + version "1.2.6" + resolved "https://registry.yarnpkg.com/mime/-/mime-1.2.6.tgz#b1f86c768c025fa87b48075f1709f28aeaf20365" + +mime@~1.2.2, mime@~1.2.7: + version "1.2.11" + resolved "https://registry.yarnpkg.com/mime/-/mime-1.2.11.tgz#58203eed86e3a5ef17aed2b7d9ebd47f0a60dd10" + +mkdirp@0.3.0: + version "0.3.0" + resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.3.0.tgz#1bbf5ab1ba827af23575143490426455f481fe1e" + +mkdirp@0.3.3: + version "0.3.3" + resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.3.3.tgz#595e251c1370c3a68bab2136d0e348b8105adf13" + +mkdirp@~0.3.4: + version "0.3.5" + resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.3.5.tgz#de3e5f8961c88c787ee1368df849ac4413eca8d7" + +mocha@~1.8.1: + version "1.8.2" + resolved "https://registry.yarnpkg.com/mocha/-/mocha-1.8.2.tgz#fb6b1d07d98f2eba418546844c3be0731f75e390" + dependencies: + commander "0.6.1" + debug "*" + diff "1.0.2" + growl "1.7.x" + jade "0.26.3" + mkdirp "0.3.3" + ms "0.3.0" + +moment@~1.7.2: + version "1.7.2" + resolved "https://registry.yarnpkg.com/moment/-/moment-1.7.2.tgz#e66be344be2e9ec1d12f1e16a8ca49bf63417f4f" + +ms@0.3.0: + version "0.3.0" + resolved "https://registry.yarnpkg.com/ms/-/ms-0.3.0.tgz#03edc348d613e66a56486cfdac53bcbe899cbd61" + +ms@2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8" + +node-forge@^0.7.0: + version "0.7.1" + resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.7.1.tgz#9da611ea08982f4b94206b3beb4cc9665f20c300" + +nth-check@~1.0.0: + version "1.0.1" + resolved "https://registry.yarnpkg.com/nth-check/-/nth-check-1.0.1.tgz#9929acdf628fc2c41098deab82ac580cf149aae4" + dependencies: + boolbase "~1.0.0" + +object-keys@~0.2.0: + version "0.2.0" + resolved "https://registry.yarnpkg.com/object-keys/-/object-keys-0.2.0.tgz#cddec02998b091be42bf1035ae32e49f1cb6ea67" + dependencies: + foreach "~2.0.1" + indexof "~0.0.1" + is "~0.2.6" + +passport-strategy@1.x.x, passport-strategy@^1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/passport-strategy/-/passport-strategy-1.0.0.tgz#b5539aa8fc225a3d1ad179476ddf236b440f52e4" + +passport@^0.3.2: + version "0.3.2" + resolved "https://registry.yarnpkg.com/passport/-/passport-0.3.2.tgz#9dd009f915e8fe095b0124a01b8f82da07510102" + dependencies: + passport-strategy "1.x.x" + pause "0.0.1" + +pause@0.0.1: + version "0.0.1" + resolved "https://registry.yarnpkg.com/pause/-/pause-0.0.1.tgz#1d408b3fdb76923b9543d96fb4c9dfd535d9cb5d" + +qs@0.5.1: + version "0.5.1" + resolved "https://registry.yarnpkg.com/qs/-/qs-0.5.1.tgz#9f6bf5d9ac6c76384e95d36d15b48980e5e4add0" + +range-parser@0.0.4: + version "0.0.4" + resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-0.0.4.tgz#c0427ffef51c10acba0782a46c9602e744ff620b" + +readable-stream@1.1: + version "1.1.13" + resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-1.1.13.tgz#f6eef764f514c89e2b9e23146a75ba106756d23e" + dependencies: + core-util-is "~1.0.0" + inherits "~2.0.1" + isarray "0.0.1" + string_decoder "~0.10.x" + +request@~2.14.0: + version "2.14.0" + resolved "https://registry.yarnpkg.com/request/-/request-2.14.0.tgz#0d8acbb0b14c1ab82e000b7d381fa8c80d1a7d88" + dependencies: + form-data "~0.0.3" + mime "~1.2.7" + +safe-buffer@^5.0.1: + version "5.0.1" + resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.0.1.tgz#d263ca54696cd8a306b5ca6551e92de57918fbe7" + +saml@~0.4.1, saml@~0.4.2, saml@~0.4.4: + version "0.4.4" + resolved "https://registry.yarnpkg.com/saml/-/saml-0.4.4.tgz#f8919b42b2f4d2cb1ac2357e13d3bf0b93e190f4" + dependencies: + moment "~1.7.2" + xml-crypto "~0.0.17" + xmldom "=0.1.15" + +samlp@~0.4.3: + version "0.4.8" + resolved "https://registry.yarnpkg.com/samlp/-/samlp-0.4.8.tgz#9b334456098de8367095fe765316d46818ad50df" + dependencies: + ejs "~0.8.3" + saml "~0.4.2" + thumbprint "0.0.1" + xml-crypto "0.0.13" + xmldom "~0.1.15" + xpath "0.0.5" + +sax@>=0.1.1: + version "1.2.2" + resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.2.tgz#fd8631a23bc7826bef5d871bdb87378c95647828" + +send@0.1.0: + version "0.1.0" + resolved "https://registry.yarnpkg.com/send/-/send-0.1.0.tgz#cfb08ebd3cec9b7fc1a37d9ff9e875a971cf4640" + dependencies: + debug "*" + fresh "0.1.0" + mime "1.2.6" + range-parser "0.0.4" + +should@~1.1.0: + version "1.1.1" + resolved "https://registry.yarnpkg.com/should/-/should-1.1.1.tgz#6d53421aff1b0672bc5bb4755a075606f58eba2d" + +string_decoder@~0.10.x: + version "0.10.31" + resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-0.10.31.tgz#62e203bc41766c6c28c9fc84301dab1c5310fa94" + +thumbprint@0.0.1: + version "0.0.1" + resolved "https://registry.yarnpkg.com/thumbprint/-/thumbprint-0.0.1.tgz#55e86f9a9b14efb45b15c039645d47b6226bb777" + +type-detect@0.1.1: + version "0.1.1" + resolved "https://registry.yarnpkg.com/type-detect/-/type-detect-0.1.1.tgz#0ba5ec2a885640e470ea4e8505971900dac58822" + +uid2@0.0.x: + version "0.0.3" + resolved "https://registry.yarnpkg.com/uid2/-/uid2-0.0.3.tgz#483126e11774df2f71b8b639dcd799c376162b82" + +wsfed@~0.3.5: + version "0.3.11" + resolved "https://registry.yarnpkg.com/wsfed/-/wsfed-0.3.11.tgz#1e92602eace3de04ac2c4436c54545d3fe5341fc" + dependencies: + ejs "~0.8.3" + saml "~0.4.1" + thumbprint "0.0.1" + +xml-crypto@0.0.13: + version "0.0.13" + resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-0.0.13.tgz#6d50ac4d9ebd513e39bcc959a04b4ac5cfc3085a" + dependencies: + xmldom ">=0.1.8" + +"xml-crypto@https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d": + version "0.0.18" + resolved "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d#3ebbd8aadf134276ea8547af0cfd4f7e7fa13d07" + dependencies: + xmldom "git+https://github.com/yaronn/xmldom.git" + xpath.js ">=0.0.3" + +xml-crypto@~0.0.17: + version "0.0.23" + resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-0.0.23.tgz#2ace8859e9ebd0ef78cdd8ce0da29306f2699460" + dependencies: + xmldom "=0.1.16" + xmldom-fork-fixed ">=0.0.1" + xpath.js ">=0.0.3" + +xml-encryption@0.11.0: + version "0.11.0" + resolved "https://registry.yarnpkg.com/xml-encryption/-/xml-encryption-0.11.0.tgz#458c2cb7d0300ff62d304c74eb3ded08ca97456b" + dependencies: + async "^2.1.5" + ejs "^2.5.6" + node-forge "^0.7.0" + xmldom "~0.1.15" + xpath "0.0.24" + +xml2js@0.1.x: + version "0.1.14" + resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.1.14.tgz#5274e67f5a64c5f92974cd85139e0332adc6b90c" + dependencies: + sax ">=0.1.1" + +xmldom-fork-fixed@>=0.0.1: + version "0.0.1" + resolved "https://registry.yarnpkg.com/xmldom-fork-fixed/-/xmldom-fork-fixed-0.0.1.tgz#b0cdba157a579d1b6eb471c9615bc8e512c5a28b" + +xmldom@=0.1.15: + version "0.1.15" + resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.15.tgz#b3048062f1bdd52edc421424459f06dceeb2f94d" + +xmldom@=0.1.16: + version "0.1.16" + resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.16.tgz#cf2602832b1ab5c3e6813fca08fe70196ba15e8c" + +xmldom@>=0.1.8, xmldom@~0.1.15: + version "0.1.27" + resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.27.tgz#d501f97b3bdb403af8ef9ecc20573187aadac0e9" + +"xmldom@git+https://github.com/yaronn/xmldom.git": + version "0.1.16" + resolved "git+https://github.com/yaronn/xmldom.git#68768a6a31f55b0737d7beb88807bc80146b2651" + +"xmldom@https://github.com/auth0/xmldom/tarball/master": + version "0.1.19" + resolved "https://github.com/auth0/xmldom/tarball/master#62af710fc82d42956d8e6918bd1bacf85163cb37" + +xpath.js@>=0.0.3: + version "1.0.7" + resolved "https://registry.yarnpkg.com/xpath.js/-/xpath.js-1.0.7.tgz#7e94627f541276cbc6a6b02b5d35e9418565b3e4" + +xpath@0.0.24: + version "0.0.24" + resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.24.tgz#1ade162e1cc523c8d39fc7d06afc16ea216f29fb" + +xpath@0.0.5: + version "0.0.5" + resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.5.tgz#454036f6ef0f3df5af5d4ba4a119fb75674b3e6c" + +xtend@~2.0.3: + version "2.0.6" + resolved "https://registry.yarnpkg.com/xtend/-/xtend-2.0.6.tgz#5ea657a6dba447069c2e59c58a1138cb0c5e6cee" + dependencies: + is-object "~0.1.2" + object-keys "~0.2.0" From 6fff3989bfbac992c559f6abe24f9225731e33c3 Mon Sep 17 00:00:00 2001 From: Sandrino Di Mattia Date: Wed, 24 May 2017 21:17:21 +0200 Subject: [PATCH 195/203] Indentation to spaces --- test/fixture/samlp-server.js | 8 ++++---- test/fixture/wsfed-server.js | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/test/fixture/samlp-server.js b/test/fixture/samlp-server.js index 74cb73a..6709f45 100644 --- a/test/fixture/samlp-server.js +++ b/test/fixture/samlp-server.js @@ -329,10 +329,10 @@ module.exports.start = function(options, callback){ app.post('/callback/samlp-with-invalid-xml', function (req, res, next) { - passport.authenticate('samlp-with-utf8', { protocol: 'samlp' }, function(err, user, info) { - res.send(400, { message: err.message }); - })(req, res, next); - }, + passport.authenticate('samlp-with-utf8', { protocol: 'samlp' }, function(err, user, info) { + res.send(400, { message: err.message }); + })(req, res, next); + }, function(req, res) { res.json(req.user); } diff --git a/test/fixture/wsfed-server.js b/test/fixture/wsfed-server.js index 0971466..2a068ef 100644 --- a/test/fixture/wsfed-server.js +++ b/test/fixture/wsfed-server.js @@ -83,10 +83,10 @@ module.exports.start = function(options, callback){ app.post('/callback/wresult-with-invalid-xml', function (req, res, next) { - passport.authenticate('wsfed-saml2', function(err, user, info) { - res.send(400, { message: err.message }); - })(req, res, next); - }, + passport.authenticate('wsfed-saml2', function(err, user, info) { + res.send(400, { message: err.message }); + })(req, res, next); + }, function(req, res) { res.json(req.user); } From 5a1b13ec579d1de50462d0a782c8a25d1251db3d Mon Sep 17 00:00:00 2001 From: Sandrino Di Mattia Date: Wed, 24 May 2017 21:33:45 +0200 Subject: [PATCH 196/203] Added tests for the XML parsers and the way the handle errors --- .../errors/SamlResponseParserError.js | 10 +- test/helpers.js | 65 +++++++++ test/interop.tests.js | 30 ++-- test/saml11.tests.js | 2 +- test/saml20.tests.js | 2 +- test/samlp.tests.js | 4 +- test/utils.js | 131 ++++++++++-------- 7 files changed, 164 insertions(+), 80 deletions(-) create mode 100644 test/helpers.js diff --git a/lib/passport-wsfed-saml2/errors/SamlResponseParserError.js b/lib/passport-wsfed-saml2/errors/SamlResponseParserError.js index f807db1..657831f 100644 --- a/lib/passport-wsfed-saml2/errors/SamlResponseParserError.js +++ b/lib/passport-wsfed-saml2/errors/SamlResponseParserError.js @@ -1,13 +1,13 @@ -function SamlResponseParseError (message, detail, status) { +function SamlResponseParserError (message, detail, status) { var err = Error.call(this, message); - err.name = 'SamlResponseParseError'; + err.name = 'SamlResponseParserError'; err.message = message || 'Error parsing SAMLResponse'; err.detail = detail; err.status = status || 400; return err; } -SamlResponseParseError.prototype = Object.create(Error.prototype); -SamlResponseParseError.prototype.constructor = SamlResponseParseError; +SamlResponseParserError.prototype = Object.create(Error.prototype); +SamlResponseParserError.prototype.constructor = SamlResponseParserError; -module.exports = SamlResponseParseError; +module.exports = SamlResponseParserError; diff --git a/test/helpers.js b/test/helpers.js new file mode 100644 index 0000000..95bb7c6 --- /dev/null +++ b/test/helpers.js @@ -0,0 +1,65 @@ +var xmlCrypto = require('xml-crypto'), + crypto = require('crypto'), + xmldom = require('xmldom'); + +exports.isValidSignature = function(assertion, cert) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + var signature = xmlCrypto.xpath(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; + var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); + sig.keyInfoProvider = { + getKeyInfo: function (key) { + return ""; + }, + getKey: function (keyInfo) { + return cert; + } + }; + sig.loadSignature(signature.toString()); + return sig.checkSignature(assertion); +}; + +exports.getIssuer = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getAttribute('Issuer'); +}; + +exports.getAssertionID = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getAttribute('AssertionID'); +}; + +exports.getIssueInstant = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getAttribute('IssueInstant'); +}; + +exports.getConditions = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement.getElementsByTagName('saml:Conditions'); +}; + +exports.getAudiences = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:Conditions')[0] + .getElementsByTagName('saml:AudienceRestrictionCondition')[0] + .getElementsByTagName('saml:Audience'); +}; + +exports.getAuthenticationStatement = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:AuthenticationStatement')[0]; +}; + +exports.getAttributes = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:Attribute'); +}; + +exports.getNameIdentifier = function(assertion) { + var doc = new xmldom.DOMParser().parseFromString(assertion); + return doc.documentElement + .getElementsByTagName('saml:NameIdentifier')[0]; +}; diff --git a/test/interop.tests.js b/test/interop.tests.js index 9ca0c03..1f45485 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -1,6 +1,6 @@ var assert = require('assert'), fs = require('fs'), - utils = require('./utils'), + helpers = require('./helpers'), moment = require('moment'), should = require('should'), saml11 = require('saml').Saml11, @@ -20,12 +20,12 @@ describe('interop', function () { before(function (done) { server.start(done); }); - + after(function (done) { server.close(done); }); - + it('should validate an assertion from office365', function (done) { var signedAssertion = 'https://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/TzJmLs0BTPgpaPLsA7L2Kd9l1k4IBOmwIM/znV2iOPU=OHJCAffCNPRkwsE3RqnVPoCRSqsPrio8prABauzu2pqF418Y1QJuJehhzztY8A6kwnBUkBVE7BIyLe7kgCnBoNZWElYki1xtaLksc/Afc0TjlZvv9IJ9fQHIBiL1JA9KcySq1tu9dv/NauykBODXuljPuVTk6I4xLLWcg20o26Ov57axp42uWPpcJHtasomLmmmnAXEh6P7aB/1Vlm/MAJhWXToxacauJzFao3F9JNEuucKY6y3RPDp1Qq3vL0gq98RKuiaejayu6RjyyU2+8vCBzURul8b7ZXPUHfIOME6Q5LvbKqLhe/mzqRc+9GUg22X3B5SYjdnXjwHbBTbihA==MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjA3MDcwMDAwWhcNMTQwNjA3MDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCz8Sn3GGXmikH2MdTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng10030000838D23AF@MicrosoftOnline.comspn:408153f4-5960-43dc-9d4f-6b717d772c8d75696069-df44-4310-9bcf-08b45e3007c9Matiasmatias@auth0.onmicrosoft.comWoloskihttps://sts.windows.net/75696069-df44-4310-9bcf-08b45e3007c9/urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; @@ -46,7 +46,7 @@ describe('interop', function () { // SAMLResponse comes from open.feide https://openidp.feide.no before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5051/callback/samlp-signedresponse-signedassertion', form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZjEzOGQyZTUzMWQ0NjI0ZmNhZmQ4OGJlYWNmN2VjMzkwMzRmMmEzNzRkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMy0wNy0wN1QxMTo1NToxOFoiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9vcGVuaWRwLmZlaWRlLm5vPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2YxMzhkMmU1MzFkNDYyNGZjYWZkODhiZWFjZjdlYzM5MDM0ZjJhMzc0ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+VXJHUURDSGF0eTRjNzZqTW5oWmZZb09qQ1RFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5uSGZLUDRzbXliTHQxRTdwNVZJMkttUnZtL3RYMEpVRVNGYUN6ejM4M1RDMWpTU2JaODZKSVJYSVdMRXl1WTJCOTJBNHdmdC8zaHhqV2ZBNTNWUFdsYS93UzBEcitRbzUxU2svTzZNek1tbXRXakx2WVZhTDhvQ3lZUFZHSDlyWXZ4cnlnVXFyVkZDZVZhS3U5Y1VwVWpPdXZTYzM1dUovOEJFZUZ1cTdBMm89PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2l6Q0NBZlFDQ1FDWTh0S2FNYzBCTWpBTkJna3Foa2lHOXcwQkFRVUZBRENCaVRFTE1Ba0dBMVVFQmhNQ1RrOHhFakFRQmdOVkJBZ1RDVlJ5YjI1a2FHVnBiVEVRTUE0R0ExVUVDaE1IVlU1SlRrVlVWREVPTUF3R0ExVUVDeE1GUm1WcFpHVXhHVEFYQmdOVkJBTVRFRzl3Wlc1cFpIQXVabVZwWkdVdWJtOHhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtRnVaSEpsWVhNdWMyOXNZbVZ5WjBCMWJtbHVaWFIwTG01dk1CNFhEVEE0TURVd09EQTVNakkwT0ZvWERUTTFNRGt5TXpBNU1qSTBPRm93Z1lreEN6QUpCZ05WQkFZVEFrNVBNUkl3RUFZRFZRUUlFd2xVY205dVpHaGxhVzB4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4RGpBTUJnTlZCQXNUQlVabGFXUmxNUmt3RndZRFZRUURFeEJ2Y0dWdWFXUndMbVpsYVdSbExtNXZNU2t3SndZSktvWklodmNOQVFrQkZocGhibVJ5WldGekxuTnZiR0psY21kQWRXNXBibVYwZEM1dWJ6Q0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUF0OGpMb3FJMVZUbHhBWjJheGlESVRoV2NBT1hkdThLa1ZVV2FOL1Nvb085TzBRUTdLUlVqU0dLTjlKSzY1QUZSRFhRa1dQQXU0SGxuTzRub1lsRlNMbll5RHhJNjZMQ3I3MXg0bGdGSmpxTGVBdkIvR3FCcUZmSVozWUsvTnJoblVxRndadTYzbkxyWmpjVVp4TmFQak9PU1JTRGFYcHYxa2I1azNqT2lTR0VDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQlFZajRjQWFmV2FZZmpCVTJ6aTFFbHdTdElhSjVueXAvcy84QjhTQVBLMlQ3OU1jTXljY1Azd1NXMTNMSGttTTFqd0tlM0FDRlhCdnFHUU4wSWJjSDQ5aHUwRktoWUZNL0dQREpjSUhGQnNpeU1CWENocHllOXZCYVRORUJDdFUzS2pqeUcwaFJUMm1BUTloK2JrUG1PdmxFby9hSDB4UjY4WjlodzRQRjEzdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEzLTA3LTA3VDExOjU1OjE4WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vb3BlbmlkcC5mZWlkZS5ubzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICA8ZHM6UmVmZXJlbmNlIFVSST0iI19lYzM1MzRjN2Y2NjYzMjdlNmFmMTU0MzdiZTdiODk5OTU4ZDMwZGY5NzUiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlZPWVNVQlZZSUNvTWJwbk5INEVCRHhBUWtKTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RW1rR1docVZvZ25vNWhja01UcG9ySHFwT0szVDZpZ2JRVXA2Zmkxc1pvcXFsd3cxSUtmc3REMW1LdzVjM21JcldyNjFnOTh4TFMxLzBnMW5hUWlpT0MzbDl6Y0g3QUFIOVdGWW5JejdGeUE4dmllKzBxTE1Dbno4cVVpZ21HWDNRbEdiQ1QzUHVUNDEzUWlZSm9DT2VXME5zYUpaWUNINUFOWnprSUJsdG9nPTwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNpekNDQWZRQ0NRQ1k4dEthTWMwQk1qQU5CZ2txaGtpRzl3MEJBUVVGQURDQmlURUxNQWtHQTFVRUJoTUNUazh4RWpBUUJnTlZCQWdUQ1ZSeWIyNWthR1ZwYlRFUU1BNEdBMVVFQ2hNSFZVNUpUa1ZVVkRFT01Bd0dBMVVFQ3hNRlJtVnBaR1V4R1RBWEJnTlZCQU1URUc5d1pXNXBaSEF1Wm1WcFpHVXVibTh4S1RBbkJna3Foa2lHOXcwQkNRRVdHbUZ1WkhKbFlYTXVjMjlzWW1WeVowQjFibWx1WlhSMExtNXZNQjRYRFRBNE1EVXdPREE1TWpJME9Gb1hEVE0xTURreU16QTVNakkwT0Zvd2dZa3hDekFKQmdOVkJBWVRBazVQTVJJd0VBWURWUVFJRXdsVWNtOXVaR2hsYVcweEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReERqQU1CZ05WQkFzVEJVWmxhV1JsTVJrd0Z3WURWUVFERXhCdmNHVnVhV1J3TG1abGFXUmxMbTV2TVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBoYm1SeVpXRnpMbk52YkdKbGNtZEFkVzVwYm1WMGRDNXViekNCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBdDhqTG9xSTFWVGx4QVoyYXhpRElUaFdjQU9YZHU4S2tWVVdhTi9Tb29POU8wUVE3S1JValNHS045Sks2NUFGUkRYUWtXUEF1NEhsbk80bm9ZbEZTTG5ZeUR4STY2TENyNzF4NGxnRkpqcUxlQXZCL0dxQnFGZklaM1lLL05yaG5VcUZ3WnU2M25MclpqY1VaeE5hUGpPT1NSU0RhWHB2MWtiNWszak9pU0dFQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0JnUUJRWWo0Y0FhZldhWWZqQlUyemkxRWx3U3RJYUo1bnlwL3MvOEI4U0FQSzJUNzlNY015Y2NQM3dTVzEzTEhrbU0xandLZTNBQ0ZYQnZxR1FOMEliY0g0OWh1MEZLaFlGTS9HUERKY0lIRkJzaXlNQlhDaHB5ZTl2QmFUTkVCQ3RVM0tqanlHMGhSVDJtQVE5aCtia1BtT3ZsRW8vYUgweFI2OFo5aHc0UEYxM3c9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0idXJuOmF1dGgwOmxvZ2luLWRldjMiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fOTVkYThhZjQ4MjY4NmEwY2VjZDY0Y2I3Y2FmOGU4NzFiN2FjMTFkYWUxPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA3LTA3VDEyOjAwOjE4WiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iX2ZkMDY3N2ExZmRmMTU0Y2JmZGQwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDctMDdUMTE6NTQ6NDhaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTI6MDA6MThaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnVybjphdXRoMDpsb2dpbi1kZXYzPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMy0wNy0wN1QxMToxMTo0MVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDdUMTk6NTU6MThaIiBTZXNzaW9uSW5kZXg9Il81ZDA2MDZhMGIxZmQ5Nzk4ZDJhMjg3MjE5M2UzOWE5MDdhM2MwYmE0MTUiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJjbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPk1hdGlhcyBXb2xvc2tpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tYXRpYXN3QGdtYWlsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25QcmluY2lwYWxOYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraUBybmQuZmVpZGUubm88L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uVGFyZ2V0ZWRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPjFiMTI0NmQ3MjgxOTdiYjQ3ZDA5MzQyYWE0ZjZjM2Y0N2Y0ZTkyYWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+d29sb3NraTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjIuNS40LjQyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVybjpvaWQ6Mi41LjQuNCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPldvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoyLjUuNC4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWF0aWFzIFdvbG9za2k8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4zIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+bWF0aWFzd0BnbWFpbC5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idXJuOm9pZDoxLjMuNi4xLjQuMS41OTIzLjEuMS4xLjYiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj53b2xvc2tpQHJuZC5mZWlkZS5ubzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1cm46b2lkOjEuMy42LjEuNC4xLjU5MjMuMS4xLjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xYjEyNDZkNzI4MTk3YmI0N2QwOTM0MmFhNGY2YzNmNDdmNGU5MmFlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+' } }, function(err, response, body) { @@ -66,7 +66,7 @@ describe('interop', function () { it('should return a valid user', function(){ var user = JSON.parse(bod); /* - { + { uid: 'woloski', givenName: 'Matias', sn: 'Woloski', @@ -82,7 +82,7 @@ describe('interop', function () { 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6': 'woloski@rnd.feide.no', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10': '1b1246d728197bb47d09342aa4f6c3f47f4e92ae', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': '_95da8af482686a0cecd64cb7caf8e871b7ac11dae1', - issuer: 'https://openidp.feide.no' + issuer: 'https://openidp.feide.no' } */ expect(user['uid']).to.equal('woloski'); @@ -101,7 +101,7 @@ describe('interop', function () { // SAMLResponse comes from Okta before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5051/callback/samlp-okta', form: { SAMLResponse: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hdXRoMDE0NS5hdXRoMC5jb20iIElEPSJpZDgxMzIzMDI4Njg0Njg5ODM4OTkzODY4MzEiIElzc3VlSW5zdGFudD0iMjAxMy0wOC0wM1QyMTo1NDo0My45NDJaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vd3d3Lm9rdGEuY29tL2s3eGtocTBqVUhVUFFBWFZNVUFOPC9zYW1sMjpJc3N1ZXI+PHNhbWwycDpTdGF0dXMgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJpZDgxMzIzMDI4Njg1NDEwMTk3NTU0MTQxMjEiIElzc3VlSW5zdGFudD0iMjAxMy0wOC0wM1QyMTo1NDo0My45NDJaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSI+PHNhbWwyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly93d3cub2t0YS5jb20vazd4a2hxMGpVSFVQUUFYVk1VQU48L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkODEzMjMwMjg2ODU0MTAxOTc1NTQxNDEyMSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjRHK3V2ZUttdGlCMUVrWTVCQXQrOGxtUXdqST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+UTgwTjZGVXI1L1lQdEV6UmxSZE1vUHUrYkwwTXNzRHhOVVkreXh5a3pibXhzSTBqb0VvL1NtbVNnWnJEWVFLVGxsWmsvS2Z6Qk1QRlY5eUJINCttRXpDVTVFM3h1Q3M5OWpaemFmY3czSzhtSU1USnkxWUh4amMzNTlkMjdSNXM1MGk5dzVQSHN1c1JvdjBNalFJb0oydzQ4R3k0RW5ZYVZpcUJSM1VWRXFFPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ25UQ0NBZ2FnQXdJQkFnSUdBVUJHSHhxVU1BMEdDU3FHU0liM0RRRUJCUVVBTUlHUk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFRwpBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFQ2d3RVQydDBZVEVVCk1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFakFRQmdOVkJBTU1DV3RzZFdkc1lXSnpNakVjTUJvR0NTcUdTSWIzRFFFSkFSWU4KYVc1bWIwQnZhM1JoTG1OdmJUQWVGdzB4TXpBNE1ETXlNVE00TXpoYUZ3MDBNekE0TURNeU1UTTVNemhhTUlHUk1Rc3dDUVlEVlFRRwpFd0pWVXpFVE1CRUdBMVVFQ0F3S1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTk1Bc0dBMVVFCkNnd0VUMnQwWVRFVU1CSUdBMVVFQ3d3TFUxTlBVSEp2ZG1sa1pYSXhFakFRQmdOVkJBTU1DV3RzZFdkc1lXSnpNakVjTUJvR0NTcUcKU0liM0RRRUpBUllOYVc1bWIwQnZhM1JoTG1OdmJUQ0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUFzQ0I5bEpUSApxQjd2ZE01amVPSDg0Y1c4dTdJSFl2NC9PQVBZRjBmQlllOXdKeTE5Q2d5TTJPZ2lBU3VBY0l0bkg0V2hCK2lvMlpQd2IvWHdsN1V1CjRYbVVFMGwrbWtDTnVEWXA1ZlhUWnh3djVHNkh2a0F4WFppbzBSazlUMFZFVENyb3hncFM1THhRL28vb3dqUjM5Uzd4elJuajZkZFgKM01xMnlHakt5QmNDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQUIxcUdOcVNOTExXcStSUGNQK3dPYVd0WXBKT0o4L01iWgpFV1dtOS9LS0hLWE02Si96Z1VVSVhaaTNjek1lTytZK1gxNFBSOGxHWG9BSGY1Yi9KYXZHOUZtRnZSbjRmR2E0NVZUVm8yR2ZNTjZLCmFJS0Ywb2JlQ2JZaS9RVWY4QitYaTF0U0lKbTFWQ0tSRTdubmxpUS9UekdhTnVsZ1dleVRiVmtHMC9YOExRPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdCB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+YWRtaW5Aa2x1Z2xhYnMuY29tPC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEzLTA4LTAzVDIxOjU5OjQzLjk0MloiIFJlY2lwaWVudD0iaHR0cHM6Ly9hdXRoMDE0NS5hdXRoMC5jb20iLz48L3NhbWwyOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMy0wOC0wM1QyMTo0OTo0My45NDNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDgtMDNUMjE6NTk6NDMuOTQyWiIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5odHRwczovL2F1dGgwMTQ1LmF1dGgwLmNvbTwvc2FtbDI6QXVkaWVuY2U+PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEzLTA4LTAzVDIxOjU0OjQzLjk0MloiIFNlc3Npb25JbmRleD0iaWQxMzc1NTY2ODgzOTQyLjY4NzYxMDQzNyIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iUm9sZSIgTmFtZUZvcm1hdD0ibnMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPkFkbWluPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=' } }, function(err, response, body) { @@ -152,7 +152,7 @@ describe('interop', function () { // SAMLResponse comes from Ping before(function (done) { request.post({ - jar: request.jar(), + jar: request.jar(), uri: 'http://localhost:5051/callback/samlp-ping', form: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siIEluUmVzcG9uc2VUbz0iXzRhNDMyMzEzNmNhMGFkNDU3OGNiIiBJc3N1ZUluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIxWiIgSUQ9IklEMzBlNjM2OTcyYzgxYmNkN2E1MzBkMWJkNjc4MmM4YmNiZTU2Y2U4NjEwZDM0ZDJjMDIiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPlBpbmdDb25uZWN0PC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIxWiIgSUQ9IklENzc1MzVlNjc2YjM0ZDQyNzAzMWM3NTM5ODk2Nzg5YzE5NTM4ZTdlNmRmNTY5YWQ4MDIiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sOklzc3Vlcj5QaW5nQ29ubmVjdDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CjxkczpTaWduZWRJbmZvPgo8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CjxkczpSZWZlcmVuY2UgVVJJPSIjSUQ3NzUzNWU2NzZiMzRkNDI3MDMxYzc1Mzk4OTY3ODljMTk1MzhlN2U2ZGY1NjlhZDgwMiI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+elRZdENWTVpBUDJYZGFJRDM3VlMyZ1MrTEwwPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KUUNaRGtMMXRzZzFISDNtQVd3UDJzYWlRVFNldTBsTTdmdXNCQmlsL3RDdGpkU2xlZXgra1JETFpvY2p1SytVcDEvN0poS0NOVVE2SApOcVd0cWZHVVJpcUpaKzI5UVoxdzZibU93YXVzZzFiUkJGb0VtUkd0cER4dTBwNHNXemlOdzJ0eU81b1ZWSDYwaEFmZllHTjcweUg0CkUxd2t1emVhRVhOWFhGaEFKeHNOVGo1SkdEZmNld1U5UjQvVW1yTlVYWTdrdkJRV3BRcmI1VE5TNjNrL0hhaEdsN3pPNzJla1FVK04KU0FUU0Eyb2hJU09obVBTbUVyQVVaQkI2Z0FSQ2srT2xWRld0VS9NUnFFMlo5UWFXNndkYlBnVkg0d2JYbnA4YkcxdTQ0VHk5bUFDWApiKzhXT0F3NHBYTkxXYzVZK2dKaVFyaUdyb3p6b0pQaDVGL3FDZz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUZ4akNDQks2Z0F3SUJBZ0lRYXFiblNYTklDQWRmVFo4Sm9pcU9VakFOQmdrcWhraUc5dzBCQVFVRkFEQmlNUXN3Q1FZRFZRUUcKRXdKVlV6RWhNQjhHQTFVRUNoTVlUbVYwZDI5eWF5QlRiMngxZEdsdmJuTWdUQzVNTGtNdU1UQXdMZ1lEVlFRREV5ZE9aWFIzYjNKcgpJRk52YkhWMGFXOXVjeUJEWlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrd0hoY05NVEl3TXpBeU1EQXdNREF3V2hjTk1UUXdPREk0Ck1qTTFPVFU1V2pDQnp6RUxNQWtHQTFVRUJoTUNWVk14RGpBTUJnTlZCQkVUQlRnd01qQXlNUXN3Q1FZRFZRUUlFd0pEVHpFUE1BMEcKQTFVRUJ4TUdSR1Z1ZG1WeU1SSXdFQVlEVlFRSkV3bFRkV2wwWlNBeE1EQXhHVEFYQmdOVkJBa1RFREV3TURFZ01UZDBhQ0JUZEhKbApaWFF4SWpBZ0JnTlZCQW9UR1ZCcGJtY2dTV1JsYm5ScGRIa2dRMjl5Y0c5eVlYUnBiMjR4R0RBV0JnTlZCQXNURDFObFkzVnlaU0JNCmFXNXJJRk5UVERFbE1DTUdBMVVFQXhNY2MzTnZMbU52Ym01bFkzUXVjR2x1WjJsa1pXNTBhWFI1TG1OdmJUQ0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKZjF1UnZkSTJIdHJtNFNLUTZJd0xtSk9MeXJZdDNvdlJHaUJjejVoLzdmM3BqQwp4UjNYaml1dlVzZjR3T0pVWDAwRzNhcXpvK1o3VGVIRkJPOXA1UnBPWlFwK01tRDFGWko4ZlNUQVZjTDhUZHZKRjFKWUNaZEt3bCtMCk1MS0ZtWnZRMFljR0NOcEVmL1NRRlI1VlJUZzNmekV3eWdMMklsRFpYbXJ6RklBTk04R0JGUFNrZ3JoZitad3lsNnY1TVo2VEhQemUKSlpzMkZnek05MjVkZUNhZDUwMWZJOWtsdnRyRVN6NCtrZUxITEN3TFU2dCtKYW5vMzJneHZLYzNLZ2VyWlJkZ2pEcGI1MVpjRE10WQo4dTZBMXVVUGpnSmdPTHkvVFd5NUpXaE4vQmlwQkNGWEFXRTZCRDdKb3lmUEJTTjlRaE51cWR2WHM3NVhyRmxmNUk4Q0F3RUFBYU9DCkFnZ3dnZ0lFTUI4R0ExVWRJd1FZTUJhQUZEeEI0bzhJQ0tsTUpZbU5iY1U0MFB5RmpHSVhNQjBHQTFVZERnUVdCQlRRdHNIWU0wU0UKK0JwUGdUcUFudDhtb05CeHp6QU9CZ05WSFE4QkFmOEVCQU1DQmFBd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhTVUVGakFVQmdncgpCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdhd1lEVlIwZ0JHUXdZakJnQmd3ckJnRUVBWVlPQVFJQkF3RXdVREJPQmdnckJnRUZCUWNDCkFSWkNhSFIwY0RvdkwzZDNkeTV1WlhSM2IzSnJjMjlzZFhScGIyNXpMbU52YlM5c1pXZGhiQzlUVTB3dGJHVm5ZV3d0Y21Wd2IzTnAKZEc5eWVTMWpjSE11YW5Od01Ib0dBMVVkSHdSek1IRXdOcUEwb0RLR01HaDBkSEE2THk5amNtd3VibVYwYzI5c2MzTnNMbU52YlM5TwpaWFIzYjNKclUyOXNkWFJwYjI1elgwTkJMbU55YkRBM29EV2dNNFl4YUhSMGNEb3ZMMk55YkRJdWJtVjBjMjlzYzNOc0xtTnZiUzlPClpYUjNiM0pyVTI5c2RYUnBiMjV6WDBOQkxtTnliREJ6QmdnckJnRUZCUWNCQVFSbk1HVXdQQVlJS3dZQkJRVUhNQUtHTUdoMGRIQTYKTHk5M2QzY3VibVYwYzI5c2MzTnNMbU52YlM5T1pYUjNiM0pyVTI5c2RYUnBiMjV6WDBOQkxtTnlkREFsQmdnckJnRUZCUWN3QVlZWgphSFIwY0RvdkwyOWpjM0F1Ym1WMGMyOXNjM05zTG1OdmJUQW5CZ05WSFJFRUlEQWVnaHh6YzI4dVkyOXVibVZqZEM1d2FXNW5hV1JsCmJuUnBkSGt1WTI5dE1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQ0h1elNEaHg0Ukd5N1JiQ0FJMG1maWR2bXR6ZmFMVm9LaUIzVFoKSlVmNmpreXF5NmN3bjA5bjQxdW1kdUpZRHU4K2p2ODFKZUxXdGpabWxYZmhzb3ZhQlRJRVd4aUkxTlFLNlY5Rjk3ZDM3bHF5c3ZJbQprSUliaFVKaEJvSW5ZUldLM1dxYXd6V295Vjh2eFAxaDdNam81c1BOZ3FmTnNVVm5iOVBJODA0bFg3UEZZSHJxS0tudXJxb09kTHJvCnpGU2pBeUU0NElFNWdHWWVqN05SbE5EY1VRcEZ3Yjd6MkJqTVJtQ3RReTA2VlRjSFVlZDdNcWc5WHNNVHA4WXlDbW9uWkFlTGpXYTkKZnFDcVFJZzZvT3BTNzhKeXN4bGVFM3YvUWtYd0tmdGwzZGFiT2dwL1hDMzF6VW1MRDhqTzZLYmRpTzhrQ1B1TFFIUEl2c0ZvYXRDSQo8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KPC9kczpYNTA5RGF0YT4KPGRzOktleVZhbHVlPgo8ZHM6UlNBS2V5VmFsdWU+CjxkczpNb2R1bHVzPgpsL1c1RzkwalllMnViaElwRG9qQXVZazR2S3RpM2VpOUVhSUZ6UG1IL3QvZW1NTEZIZGVPSzY5U3gvakE0bFJmVFFiZHFyT2o1bnROCjRjVUU3Mm5sR2s1bENuNHlZUFVWa254OUpNQlZ3dnhOMjhrWFVsZ0psMHJDWDRzd3NvV1ptOURSaHdZSTJrUi85SkFWSGxWRk9EZC8KTVRES0F2WWlVTmxlYXZNVWdBMHp3WUVVOUtTQ3VGLzVuREtYcS9reG5wTWMvTjRsbXpZV0RNejNibDE0SnAzblRWOGoyU1crMnNSTApQajZSNHNjc0xBdFRxMzRscWVqZmFERzhwemNxQjZ0bEYyQ01PbHZuVmx3TXkxank3b0RXNVErT0FtQTR2TDlOYkxrbGFFMzhHS2tFCklWY0JZVG9FUHNtako4OEZJMzFDRTI2cDI5ZXp2bGVzV1Yva2p3PT0KPC9kczpNb2R1bHVzPgo8ZHM6RXhwb25lbnQ+QVFBQjwvZHM6RXhwb25lbnQ+CjwvZHM6UlNBS2V5VmFsdWU+CjwvZHM6S2V5VmFsdWU+CjwvZHM6S2V5SW5mbz4KPC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnRlc3R1c2VyMUB0ZXN0aWRwLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzRhNDMyMzEzNmNhMGFkNDU3OGNiIiBOb3RPbk9yQWZ0ZXI9IjIwMTMtMDctMDhUMjA6MTA6MjUuNTIxWiIgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLWRldjMuYXV0aDAuY29tOjMwMDAvbG9naW4vY2FsbGJhY2siLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxMy0wNy0wOFQyMDoxMDoyNS41MjFaIiBOb3RCZWZvcmU9IjIwMTMtMDctMDhUMTk6MzA6MjUuNTIxWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT51cm46YXV0aDA6bG9naW4tZGV2Mzwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTMtMDctMDhUMTk6NDA6MjUuNTIyWiIgU2Vzc2lvbkluZGV4PSJsTGJTYlhpZmFPREx3T2hCZ1AyZk5PdVc5RmoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48c2FtbDpBdXRoZW50aWNhdGluZ0F1dGhvcml0eT50ZXN0aWRwLmNvbm5lY3QucGluZ2lkZW50aXR5LmNvbTwvc2FtbDpBdXRoZW50aWNhdGluZ0F1dGhvcml0eT48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iUGluZ09uZS5pZHBpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+YjE0ZWIwYjYtYTMzYS00MTRkLTljNzctMDEzMWUzMjRhNWI3PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9Im5hbWVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+dGVzdF9uYW1laWQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iUGluZ09uZS5BdXRoZW50aWNhdGluZ0F1dGhvcml0eSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+dGVzdGlkcC5jb25uZWN0LnBpbmdpZGVudGl0eS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=' } }, function(err, response, body) { @@ -218,7 +218,7 @@ describe('interop', function () { var sm = new SamlPassport(samlOptions); var sp = new samlp(samlpOptions, sm); - sp.validateSamlResponse(new Buffer(response, 'base64').toString(), + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), function(err, profile){ if (err) return done(err); assert.ok(profile); @@ -315,7 +315,7 @@ describe('interop', function () { }); it('should validate an assertion from a WS-Fed STS using WS-Trust 1.3 namespaces', function (done) { - + var options = { thumbprint: '1756139e2a046d3c494daae6bbfa542a4367bc60', checkExpiration: false, @@ -345,7 +345,7 @@ describe('interop', function () { s._authenticate_saml(req); }); - + describe('wsfed fault response received', function () { var options = { @@ -404,10 +404,10 @@ describe('interop', function () { }; s._authenticate_saml(req); - }); + }); }); - + // it('should validate a saml response from datapower', function (done) { // var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage7mSr1qvkKTrrV2bV+HFVJKpKaCI=BQTRkGg8M/g2LpkgvW3MQG/B0cDxsz0zHa2wejIN2010r+hS4BCj7YcIH319R+Y4oZTmlxmJIT/4wlR9rxHQWxX95jdB1DfeoUMLAlk2JfAT+ByZ14F+N4B7lDILuNUTrDBNa9GLDIo8MyAK8SBUdeyqDtNFqb44/gGg6B0h2qEbDNLHY7WlAxvz4TfndKqk5v/VP96xiCS4d1AjYPvUL8EzR5kS83ABHX0jg2bYxdtctdiKOilcHQOHEIKosWw86b9uDQPjIrSt1JzW8SSSeA6M3nJ7HJ/5EsSYEMvt/FshBnKP2LI4HMGktlzw/9gOnmxR/CQykMmN2vvCwPsnXA==MIIFQTCCBCmgAwIBAgIETB7lIzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMzAxMzExNTM2MjBaFw0xNTAzMzAxOTA2MTJaMIGGMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMS0wKwYDVQQKEyRBWEEgRXF1aXRhYmxlIExpZmUgSW5zdXJhbmNlIENvbXBhbnkxIjAgBgNVBAMTGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn6cGpvyzVSQ2c1oK7LzuxUXW4sxBOTGLVCqo4FWcta7QAU7RU5i3ATWxyo9HFmD8Qcyj6YuIQYtljJFAx/JcZigtXNRVudtl0uuvCUTGfsR67+gGRWe7hNg/9gIWLXZGkikRT4g9yBqutMzHeuX0ecignFHJxw5S7p1rtxJmuXQR/8uOeAse+48PkZcCHFdzBp6u3Z+pzite12LA2F8C0K5nv9FgkHVEQjqgtgAjKin2QmWqI1gj6mIe0oMxWB4l3j7dsEXVO4zPU1ujIylY0y2QnK4PbNdGu+W1GElwvUhSaz+jmIUFWklJtsFyhFVGcgFRE5iXXmrlnK4GZv3/FAgMBAAGjggGIMIIBhDALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBWMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcwAoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMwQTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYGZ4EMAQICMCQGA1UdEQQdMBuCGXJ0aWdpbnQuYXhhLWVxdWl0YWJsZS5jb20wHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFJSL34z5hLkS08mEdEodVmeUrUC5MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFCpXB2HagR+B4C5XKbtBPNZ3F94zJoFlCb+7/5Q9HWMGew1XiRx7GFhV4FCIsr6Gp9EYFLlVO+afdSMvNC7RauZ6nw7ylK8yRyuvbpJWC+XAfP4nVKroYYFPmKJdkELIBLIwt1Nsr3KsY0JIykokuQR/pWDSNVgo3arsNxXOhvxate0yoloMCUhHh+9b8WRY2JECN6fAEpg54pr5cjTCOCLFEN37M3Hl1+LRYNb6XAKUiL4b5CNkd/qUI5PZsJvGg/AOYRiCPY3iZezs9OT1RCkBrgM1W9rRF/zXCniRV3ASH22AU1jUn0OT1wy9B8PO15liIzw4WuYIdFqCxaIyJE=CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US1277093155'; // //var SAMLResponse = 'www.axa-equitable.comwww.axa-equitable.comChristopher.Owen@axa-advisors.com.datastageurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified3338532ChristopherOwenChristopher.Owen@axa-advisors.com.datastage'; @@ -418,13 +418,13 @@ describe('interop', function () { // // 'http://www.w3.org/2000/09/xmldsig#sha1'); // // sig.signingKey = fs.readFileSync(__dirname + '/test-auth0.key'); - + // // sig.keyInfoProvider = { // // getKeyInfo: function () { // // return "" + fs.readFileSync(__dirname + '/test-auth0.cer') + ""; // // } // // }; - // // sig.computeSignature(SAMLResponse); + // // sig.computeSignature(SAMLResponse); // // SAMLResponse = sig.getSignedXml(); // //console.log(SAMLResponse) diff --git a/test/saml11.tests.js b/test/saml11.tests.js index 43a0e3d..7ca3a59 100644 --- a/test/saml11.tests.js +++ b/test/saml11.tests.js @@ -1,6 +1,6 @@ var assert = require('assert'), fs = require('fs'), - utils = require('./utils'), + helpers = require('./helpers'), moment = require('moment'), should = require('should'), saml11 = require('saml').Saml11, diff --git a/test/saml20.tests.js b/test/saml20.tests.js index 8d91724..7aded56 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -1,6 +1,6 @@ var assert = require('assert'), fs = require('fs'), - utils = require('./utils'), + helpers = require('./helpers'), moment = require('moment'), should = require('should'), saml20 = require('saml').Saml20, diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 6cda1de..74dfa27 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -6,7 +6,7 @@ var xmldom = require('xmldom'); var fs = require('fs'); var zlib = require('zlib'); var crypto = require('crypto'); -var utils = require('./utils'); +var helpers = require('./helpers'); var server = require('./fixture/samlp-server'); var Samlp = require('../lib/passport-wsfed-saml2/samlp'); @@ -470,7 +470,7 @@ describe('samlp (functional tests)', function () { var signedRequest = new Buffer(signedSAMLRequest, 'base64').toString(); var signingCert = fs.readFileSync(__dirname + '/test-auth0.pem'); - expect(utils.isValidSignature(signedRequest, signingCert)) + expect(helpers.isValidSignature(signedRequest, signingCert)) .to.equal(true); done(); }); diff --git a/test/utils.js b/test/utils.js index 95bb7c6..2114ca8 100644 --- a/test/utils.js +++ b/test/utils.js @@ -1,65 +1,84 @@ -var xmlCrypto = require('xml-crypto'), - crypto = require('crypto'), - xmldom = require('xmldom'); +var expect = require('chai').expect; -exports.isValidSignature = function(assertion, cert) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - var signature = xmlCrypto.xpath(doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0]; - var sig = new xmlCrypto.SignedXml(null, { idAttribute: 'AssertionID' }); - sig.keyInfoProvider = { - getKeyInfo: function (key) { - return ""; - }, - getKey: function (keyInfo) { - return cert; - } - }; - sig.loadSignature(signature.toString()); - return sig.checkSignature(assertion); -}; +var lib = require('../lib/passport-wsfed-saml2'); +var utils = require('../lib/passport-wsfed-saml2/utils'); -exports.getIssuer = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement.getAttribute('Issuer'); -}; +describe('utils', function () { + describe('parseSamlAssertion', function () { + it('should work', function (done) { + var assertion = utils.parseSamlAssertion(''); + expect(assertion.childNodes.length) + .to.equal(1); + done(); + }); -exports.getAssertionID = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement.getAttribute('AssertionID'); -}; + it('should throw an error with more details', function (done) { + function parse() { + try { + utils.parseSamlAssertion('
'); + } catch (e) { + return e; + } + } -exports.getIssueInstant = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement.getAttribute('IssueInstant'); -}; + var err = parse(); + expect(err.name) + .to.equal('SamlAssertionParserError'); + expect(err.detail) + .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); + done(); + }); + }); -exports.getConditions = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement.getElementsByTagName('saml:Conditions'); -}; + describe('parseSamlResponse', function () { + it('should work', function (done) { + var response = utils.parseSamlResponse(''); + expect(response.childNodes.length) + .to.equal(1); + done(); + }); -exports.getAudiences = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement - .getElementsByTagName('saml:Conditions')[0] - .getElementsByTagName('saml:AudienceRestrictionCondition')[0] - .getElementsByTagName('saml:Audience'); -}; + it('should throw an error with more details', function (done) { + function parse() { + try { + utils.parseSamlResponse('
'); + } catch (e) { + return e; + } + } -exports.getAuthenticationStatement = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement - .getElementsByTagName('saml:AuthenticationStatement')[0]; -}; + var err = parse(); + expect(err.name) + .to.equal('SamlResponseParserError'); + expect(err.detail) + .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); + done(); + }); + }); -exports.getAttributes = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement - .getElementsByTagName('saml:Attribute'); -}; + describe('parseWsFedResponse', function () { + it('should work', function (done) { + var response = utils.parseWsFedResponse(''); + expect(response.childNodes.length) + .to.equal(1); + done(); + }); -exports.getNameIdentifier = function(assertion) { - var doc = new xmldom.DOMParser().parseFromString(assertion); - return doc.documentElement - .getElementsByTagName('saml:NameIdentifier')[0]; -}; + it('should throw an error with more details', function (done) { + function parse() { + try { + utils.parseWsFedResponse('
'); + } catch (e) { + return e; + } + } + + var err = parse(); + expect(err.name) + .to.equal('WSFederationResultParseError'); + expect(err.detail) + .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); + done(); + }); + }); +}); From 89c60cf46f9ef2639b344147f0d1c2fd45677ed2 Mon Sep 17 00:00:00 2001 From: Sandrino Di Mattia Date: Wed, 24 May 2017 21:34:47 +0200 Subject: [PATCH 197/203] Indentation using spaces --- test/utils.js | 138 +++++++++++++++++++++++++------------------------- 1 file changed, 69 insertions(+), 69 deletions(-) diff --git a/test/utils.js b/test/utils.js index 2114ca8..c3588ad 100644 --- a/test/utils.js +++ b/test/utils.js @@ -4,81 +4,81 @@ var lib = require('../lib/passport-wsfed-saml2'); var utils = require('../lib/passport-wsfed-saml2/utils'); describe('utils', function () { - describe('parseSamlAssertion', function () { - it('should work', function (done) { - var assertion = utils.parseSamlAssertion(''); - expect(assertion.childNodes.length) - .to.equal(1); - done(); - }); + describe('parseSamlAssertion', function () { + it('should work', function (done) { + var assertion = utils.parseSamlAssertion(''); + expect(assertion.childNodes.length) + .to.equal(1); + done(); + }); - it('should throw an error with more details', function (done) { - function parse() { - try { - utils.parseSamlAssertion('
'); - } catch (e) { - return e; - } - } + it('should throw an error with more details', function (done) { + function parse() { + try { + utils.parseSamlAssertion('
'); + } catch (e) { + return e; + } + } - var err = parse(); - expect(err.name) - .to.equal('SamlAssertionParserError'); - expect(err.detail) - .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); - done(); - }); - }); + var err = parse(); + expect(err.name) + .to.equal('SamlAssertionParserError'); + expect(err.detail) + .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); + done(); + }); + }); - describe('parseSamlResponse', function () { - it('should work', function (done) { - var response = utils.parseSamlResponse(''); - expect(response.childNodes.length) - .to.equal(1); - done(); - }); + describe('parseSamlResponse', function () { + it('should work', function (done) { + var response = utils.parseSamlResponse(''); + expect(response.childNodes.length) + .to.equal(1); + done(); + }); - it('should throw an error with more details', function (done) { - function parse() { - try { - utils.parseSamlResponse('
'); - } catch (e) { - return e; - } - } + it('should throw an error with more details', function (done) { + function parse() { + try { + utils.parseSamlResponse('
'); + } catch (e) { + return e; + } + } - var err = parse(); - expect(err.name) - .to.equal('SamlResponseParserError'); - expect(err.detail) - .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); - done(); - }); - }); + var err = parse(); + expect(err.name) + .to.equal('SamlResponseParserError'); + expect(err.detail) + .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); + done(); + }); + }); - describe('parseWsFedResponse', function () { - it('should work', function (done) { - var response = utils.parseWsFedResponse(''); - expect(response.childNodes.length) - .to.equal(1); - done(); - }); + describe('parseWsFedResponse', function () { + it('should work', function (done) { + var response = utils.parseWsFedResponse(''); + expect(response.childNodes.length) + .to.equal(1); + done(); + }); - it('should throw an error with more details', function (done) { - function parse() { - try { - utils.parseWsFedResponse('
'); - } catch (e) { - return e; - } - } + it('should throw an error with more details', function (done) { + function parse() { + try { + utils.parseWsFedResponse('
'); + } catch (e) { + return e; + } + } - var err = parse(); - expect(err.name) - .to.equal('WSFederationResultParseError'); - expect(err.detail) - .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); - done(); - }); - }); + var err = parse(); + expect(err.name) + .to.equal('WSFederationResultParseError'); + expect(err.detail) + .to.equal('end tag name: div is not match the current start tagName:t:RequestSecurityTokenResponse'); + done(); + }); + }); }); From d47901d69e04ae4426a44e51c42b9ca2b759736f Mon Sep 17 00:00:00 2001 From: Sandrino Di Mattia Date: Wed, 24 May 2017 21:35:07 +0200 Subject: [PATCH 198/203] Removed yarn.lock --- yarn.lock | 562 ------------------------------------------------------ 1 file changed, 562 deletions(-) delete mode 100644 yarn.lock diff --git a/yarn.lock b/yarn.lock deleted file mode 100644 index d872c28..0000000 --- a/yarn.lock +++ /dev/null @@ -1,562 +0,0 @@ -# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. -# yarn lockfile v1 - - -assertion-error@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/assertion-error/-/assertion-error-1.0.0.tgz#c7f85438fdd466bc7ca16ab90c81513797a5d23b" - -async@^2.1.5: - version "2.4.1" - resolved "https://registry.yarnpkg.com/async/-/async-2.4.1.tgz#62a56b279c98a11d0987096a01cc3eeb8eb7bbd7" - dependencies: - lodash "^4.14.0" - -async@~0.2.7: - version "0.2.10" - resolved "https://registry.yarnpkg.com/async/-/async-0.2.10.tgz#b6bbe0b0674b9d719708ca38de8c237cb526c3d1" - -base64url@2.0.0, base64url@^2.0.0: - version "2.0.0" - resolved "https://registry.yarnpkg.com/base64url/-/base64url-2.0.0.tgz#eac16e03ea1438eff9423d69baa36262ed1f70bb" - -boolbase@~1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/boolbase/-/boolbase-1.0.0.tgz#68dff5fbe60c51eb37725ea9e3ed310dcc1e776e" - -boom@0.4.x: - version "0.4.2" - resolved "https://registry.yarnpkg.com/boom/-/boom-0.4.2.tgz#7a636e9ded4efcefb19cef4947a3c67dfaee911b" - dependencies: - hoek "0.9.x" - -buffer-crc32@0.1.1: - version "0.1.1" - resolved "https://registry.yarnpkg.com/buffer-crc32/-/buffer-crc32-0.1.1.tgz#7e110dc9953908ab7c32acdc70c9f945b1cbc526" - -buffer-crc32@~0.2.1: - version "0.2.13" - resolved "https://registry.yarnpkg.com/buffer-crc32/-/buffer-crc32-0.2.13.tgz#0d333e3f00eac50aa1454abd30ef8c2a5d9a7242" - -buffer-equal-constant-time@1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz#f8e71132f7ffe6e01a5c9697a4c6f3e48d5cc819" - -bytes@0.2.0: - version "0.2.0" - resolved "https://registry.yarnpkg.com/bytes/-/bytes-0.2.0.tgz#aad33ec14e3dc2ca74e8e7d451f9ba053ad4f7a0" - -chai-passport-strategy@1.x.x: - version "1.0.0" - resolved "https://registry.yarnpkg.com/chai-passport-strategy/-/chai-passport-strategy-1.0.0.tgz#b8ed610460455aa2e6f4f66858a426b792556481" - -chai@2.x.x: - version "2.3.0" - resolved "https://registry.yarnpkg.com/chai/-/chai-2.3.0.tgz#8a2f6a34748da801090fd73287b2aa739a4e909a" - dependencies: - assertion-error "1.0.0" - deep-eql "0.1.3" - -cheerio@~0.19.0: - version "0.19.0" - resolved "https://registry.yarnpkg.com/cheerio/-/cheerio-0.19.0.tgz#772e7015f2ee29965096d71ea4175b75ab354925" - dependencies: - css-select "~1.0.0" - dom-serializer "~0.1.0" - entities "~1.1.1" - htmlparser2 "~3.8.1" - lodash "^3.2.0" - -combined-stream@~0.0.4: - version "0.0.7" - resolved "https://registry.yarnpkg.com/combined-stream/-/combined-stream-0.0.7.tgz#0137e657baa5a7541c57ac37ac5fc07d73b4dc1f" - dependencies: - delayed-stream "0.0.5" - -commander@0.6.1: - version "0.6.1" - resolved "https://registry.yarnpkg.com/commander/-/commander-0.6.1.tgz#fa68a14f6a945d54dbbe50d8cdb3320e9e3b1a06" - -connect@2.7.5: - version "2.7.5" - resolved "https://registry.yarnpkg.com/connect/-/connect-2.7.5.tgz#139111b4b03f0533a524927a88a646ae467b2c02" - dependencies: - buffer-crc32 "0.1.1" - bytes "0.2.0" - cookie "0.0.5" - cookie-signature "1.0.0" - debug "*" - formidable "1.0.11" - fresh "0.1.0" - pause "0.0.1" - qs "0.5.1" - send "0.1.0" - -cookie-signature@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.0.tgz#0044f332ac623df851c914e88eacc57f0c9704fe" - -cookie@0.0.5: - version "0.0.5" - resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.0.5.tgz#f9acf9db57eb7568c9fcc596256b7bb22e307c81" - -core-util-is@~1.0.0: - version "1.0.2" - resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.2.tgz#b5fd54220aa2bc5ab57aab7140c940754503c1a7" - -cryptiles@~0.2.2: - version "0.2.2" - resolved "https://registry.yarnpkg.com/cryptiles/-/cryptiles-0.2.2.tgz#ed91ff1f17ad13d3748288594f8a48a0d26f325c" - dependencies: - boom "0.4.x" - -css-select@~1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/css-select/-/css-select-1.0.0.tgz#b1121ca51848dd264e2244d058cee254deeb44b0" - dependencies: - boolbase "~1.0.0" - css-what "1.0" - domutils "1.4" - nth-check "~1.0.0" - -css-what@1.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/css-what/-/css-what-1.0.0.tgz#d7cc2df45180666f99d2b14462639469e00f736c" - -debug@*: - version "2.6.8" - resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.8.tgz#e731531ca2ede27d188222427da17821d68ff4fc" - dependencies: - ms "2.0.0" - -deep-eql@0.1.3: - version "0.1.3" - resolved "https://registry.yarnpkg.com/deep-eql/-/deep-eql-0.1.3.tgz#ef558acab8de25206cd713906d74e56930eb69f2" - dependencies: - type-detect "0.1.1" - -delayed-stream@0.0.5: - version "0.0.5" - resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-0.0.5.tgz#d4b1f43a93e8296dfe02694f4680bc37a313c73f" - -diff@1.0.2: - version "1.0.2" - resolved "https://registry.yarnpkg.com/diff/-/diff-1.0.2.tgz#4ae73f1aee8d6fcf484f1a1ce77ce651d9b7f0c9" - -dom-serializer@0, dom-serializer@~0.1.0: - version "0.1.0" - resolved "https://registry.yarnpkg.com/dom-serializer/-/dom-serializer-0.1.0.tgz#073c697546ce0780ce23be4a28e293e40bc30c82" - dependencies: - domelementtype "~1.1.1" - entities "~1.1.1" - -domelementtype@1, domelementtype@~1.1.1: - version "1.1.3" - resolved "https://registry.yarnpkg.com/domelementtype/-/domelementtype-1.1.3.tgz#bd28773e2642881aec51544924299c5cd822185b" - -domhandler@2.3: - version "2.3.0" - resolved "https://registry.yarnpkg.com/domhandler/-/domhandler-2.3.0.tgz#2de59a0822d5027fabff6f032c2b25a2a8abe738" - dependencies: - domelementtype "1" - -domutils@1.4: - version "1.4.3" - resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.4.3.tgz#0865513796c6b306031850e175516baf80b72a6f" - dependencies: - domelementtype "1" - -domutils@1.5: - version "1.5.1" - resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.5.1.tgz#dcd8488a26f563d61079e48c9f7b7e32373682cf" - dependencies: - dom-serializer "0" - domelementtype "1" - -ecdsa-sig-formatter@1.0.9: - version "1.0.9" - resolved "https://registry.yarnpkg.com/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.9.tgz#4bc926274ec3b5abb5016e7e1d60921ac262b2a1" - dependencies: - base64url "^2.0.0" - safe-buffer "^5.0.1" - -ejs@2.5.5: - version "2.5.5" - resolved "https://registry.yarnpkg.com/ejs/-/ejs-2.5.5.tgz#6ef4e954ea7dcf54f66aad2fe7aa421932d9ed77" - -ejs@^2.5.6: - version "2.5.6" - resolved "https://registry.yarnpkg.com/ejs/-/ejs-2.5.6.tgz#479636bfa3fe3b1debd52087f0acb204b4f19c88" - -ejs@~0.8.3: - version "0.8.8" - resolved "https://registry.yarnpkg.com/ejs/-/ejs-0.8.8.tgz#ffdc56dcc35d02926dd50ad13439bbc54061d598" - -entities@1.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/entities/-/entities-1.0.0.tgz#b2987aa3821347fcde642b24fdfc9e4fb712bf26" - -entities@~1.1.1: - version "1.1.1" - resolved "https://registry.yarnpkg.com/entities/-/entities-1.1.1.tgz#6e5c2d0a5621b5dadaecef80b90edfb5cd7772f0" - -express@~3.1.0: - version "3.1.2" - resolved "https://registry.yarnpkg.com/express/-/express-3.1.2.tgz#52a02c8db8f22bbfa0d7478d847cd45161f985f7" - dependencies: - buffer-crc32 "~0.2.1" - commander "0.6.1" - connect "2.7.5" - cookie "0.0.5" - cookie-signature "1.0.0" - debug "*" - fresh "0.1.0" - methods "0.0.1" - mkdirp "~0.3.4" - range-parser "0.0.4" - send "0.1.0" - -foreach@~2.0.1: - version "2.0.5" - resolved "https://registry.yarnpkg.com/foreach/-/foreach-2.0.5.tgz#0bee005018aeb260d0a3af3ae658dd0136ec1b99" - -form-data@~0.0.3: - version "0.0.10" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-0.0.10.tgz#db345a5378d86aeeb1ed5d553b869ac192d2f5ed" - dependencies: - async "~0.2.7" - combined-stream "~0.0.4" - mime "~1.2.2" - -formidable@1.0.11: - version "1.0.11" - resolved "https://registry.yarnpkg.com/formidable/-/formidable-1.0.11.tgz#68f63325a035e644b6f7bb3d11243b9761de1b30" - -fresh@0.1.0: - version "0.1.0" - resolved "https://registry.yarnpkg.com/fresh/-/fresh-0.1.0.tgz#03e4b0178424e4c2d5d19a54d8814cdc97934850" - -growl@1.7.x: - version "1.7.0" - resolved "https://registry.yarnpkg.com/growl/-/growl-1.7.0.tgz#de2d66136d002e112ba70f3f10c31cf7c350b2da" - -hoek@0.9.x: - version "0.9.1" - resolved "https://registry.yarnpkg.com/hoek/-/hoek-0.9.1.tgz#3d322462badf07716ea7eb85baf88079cddce505" - -htmlparser2@~3.8.1: - version "3.8.3" - resolved "https://registry.yarnpkg.com/htmlparser2/-/htmlparser2-3.8.3.tgz#996c28b191516a8be86501a7d79757e5c70c1068" - dependencies: - domelementtype "1" - domhandler "2.3" - domutils "1.5" - entities "1.0" - readable-stream "1.1" - -indexof@~0.0.1: - version "0.0.1" - resolved "https://registry.yarnpkg.com/indexof/-/indexof-0.0.1.tgz#82dc336d232b9062179d05ab3293a66059fd435d" - -inherits@~2.0.1: - version "2.0.3" - resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.3.tgz#633c2c83e3da42a502f52466022480f4208261de" - -is-object@~0.1.2: - version "0.1.2" - resolved "https://registry.yarnpkg.com/is-object/-/is-object-0.1.2.tgz#00efbc08816c33cfc4ac8251d132e10dc65098d7" - -is@~0.2.6: - version "0.2.7" - resolved "https://registry.yarnpkg.com/is/-/is-0.2.7.tgz#3b34a2c48f359972f35042849193ae7264b63562" - -isarray@0.0.1: - version "0.0.1" - resolved "https://registry.yarnpkg.com/isarray/-/isarray-0.0.1.tgz#8a18acfca9a8f4177e09abfc6038939b05d1eedf" - -jade@0.26.3: - version "0.26.3" - resolved "https://registry.yarnpkg.com/jade/-/jade-0.26.3.tgz#8f10d7977d8d79f2f6ff862a81b0513ccb25686c" - dependencies: - commander "0.6.1" - mkdirp "0.3.0" - -jsonwebtoken@~5.0.4: - version "5.0.5" - resolved "https://registry.yarnpkg.com/jsonwebtoken/-/jsonwebtoken-5.0.5.tgz#6592cc05ee03dd5ad9e03a910911a4da79afe0f8" - dependencies: - jws "^3.0.0" - -jwa@^1.1.4: - version "1.1.5" - resolved "https://registry.yarnpkg.com/jwa/-/jwa-1.1.5.tgz#a0552ce0220742cd52e153774a32905c30e756e5" - dependencies: - base64url "2.0.0" - buffer-equal-constant-time "1.0.1" - ecdsa-sig-formatter "1.0.9" - safe-buffer "^5.0.1" - -jws@^3.0.0: - version "3.1.4" - resolved "https://registry.yarnpkg.com/jws/-/jws-3.1.4.tgz#f9e8b9338e8a847277d6444b1464f61880e050a2" - dependencies: - base64url "^2.0.0" - jwa "^1.1.4" - safe-buffer "^5.0.1" - -lodash@^3.2.0: - version "3.10.1" - resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6" - -lodash@^4.14.0: - version "4.17.4" - resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.4.tgz#78203a4d1c328ae1d86dca6460e369b57f4055ae" - -methods@0.0.1: - version "0.0.1" - resolved "https://registry.yarnpkg.com/methods/-/methods-0.0.1.tgz#277c90f8bef39709645a8371c51c3b6c648e068c" - -mime@1.2.6: - version "1.2.6" - resolved "https://registry.yarnpkg.com/mime/-/mime-1.2.6.tgz#b1f86c768c025fa87b48075f1709f28aeaf20365" - -mime@~1.2.2, mime@~1.2.7: - version "1.2.11" - resolved "https://registry.yarnpkg.com/mime/-/mime-1.2.11.tgz#58203eed86e3a5ef17aed2b7d9ebd47f0a60dd10" - -mkdirp@0.3.0: - version "0.3.0" - resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.3.0.tgz#1bbf5ab1ba827af23575143490426455f481fe1e" - -mkdirp@0.3.3: - version "0.3.3" - resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.3.3.tgz#595e251c1370c3a68bab2136d0e348b8105adf13" - -mkdirp@~0.3.4: - version "0.3.5" - resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.3.5.tgz#de3e5f8961c88c787ee1368df849ac4413eca8d7" - -mocha@~1.8.1: - version "1.8.2" - resolved "https://registry.yarnpkg.com/mocha/-/mocha-1.8.2.tgz#fb6b1d07d98f2eba418546844c3be0731f75e390" - dependencies: - commander "0.6.1" - debug "*" - diff "1.0.2" - growl "1.7.x" - jade "0.26.3" - mkdirp "0.3.3" - ms "0.3.0" - -moment@~1.7.2: - version "1.7.2" - resolved "https://registry.yarnpkg.com/moment/-/moment-1.7.2.tgz#e66be344be2e9ec1d12f1e16a8ca49bf63417f4f" - -ms@0.3.0: - version "0.3.0" - resolved "https://registry.yarnpkg.com/ms/-/ms-0.3.0.tgz#03edc348d613e66a56486cfdac53bcbe899cbd61" - -ms@2.0.0: - version "2.0.0" - resolved "https://registry.yarnpkg.com/ms/-/ms-2.0.0.tgz#5608aeadfc00be6c2901df5f9861788de0d597c8" - -node-forge@^0.7.0: - version "0.7.1" - resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.7.1.tgz#9da611ea08982f4b94206b3beb4cc9665f20c300" - -nth-check@~1.0.0: - version "1.0.1" - resolved "https://registry.yarnpkg.com/nth-check/-/nth-check-1.0.1.tgz#9929acdf628fc2c41098deab82ac580cf149aae4" - dependencies: - boolbase "~1.0.0" - -object-keys@~0.2.0: - version "0.2.0" - resolved "https://registry.yarnpkg.com/object-keys/-/object-keys-0.2.0.tgz#cddec02998b091be42bf1035ae32e49f1cb6ea67" - dependencies: - foreach "~2.0.1" - indexof "~0.0.1" - is "~0.2.6" - -passport-strategy@1.x.x, passport-strategy@^1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/passport-strategy/-/passport-strategy-1.0.0.tgz#b5539aa8fc225a3d1ad179476ddf236b440f52e4" - -passport@^0.3.2: - version "0.3.2" - resolved "https://registry.yarnpkg.com/passport/-/passport-0.3.2.tgz#9dd009f915e8fe095b0124a01b8f82da07510102" - dependencies: - passport-strategy "1.x.x" - pause "0.0.1" - -pause@0.0.1: - version "0.0.1" - resolved "https://registry.yarnpkg.com/pause/-/pause-0.0.1.tgz#1d408b3fdb76923b9543d96fb4c9dfd535d9cb5d" - -qs@0.5.1: - version "0.5.1" - resolved "https://registry.yarnpkg.com/qs/-/qs-0.5.1.tgz#9f6bf5d9ac6c76384e95d36d15b48980e5e4add0" - -range-parser@0.0.4: - version "0.0.4" - resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-0.0.4.tgz#c0427ffef51c10acba0782a46c9602e744ff620b" - -readable-stream@1.1: - version "1.1.13" - resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-1.1.13.tgz#f6eef764f514c89e2b9e23146a75ba106756d23e" - dependencies: - core-util-is "~1.0.0" - inherits "~2.0.1" - isarray "0.0.1" - string_decoder "~0.10.x" - -request@~2.14.0: - version "2.14.0" - resolved "https://registry.yarnpkg.com/request/-/request-2.14.0.tgz#0d8acbb0b14c1ab82e000b7d381fa8c80d1a7d88" - dependencies: - form-data "~0.0.3" - mime "~1.2.7" - -safe-buffer@^5.0.1: - version "5.0.1" - resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.0.1.tgz#d263ca54696cd8a306b5ca6551e92de57918fbe7" - -saml@~0.4.1, saml@~0.4.2, saml@~0.4.4: - version "0.4.4" - resolved "https://registry.yarnpkg.com/saml/-/saml-0.4.4.tgz#f8919b42b2f4d2cb1ac2357e13d3bf0b93e190f4" - dependencies: - moment "~1.7.2" - xml-crypto "~0.0.17" - xmldom "=0.1.15" - -samlp@~0.4.3: - version "0.4.8" - resolved "https://registry.yarnpkg.com/samlp/-/samlp-0.4.8.tgz#9b334456098de8367095fe765316d46818ad50df" - dependencies: - ejs "~0.8.3" - saml "~0.4.2" - thumbprint "0.0.1" - xml-crypto "0.0.13" - xmldom "~0.1.15" - xpath "0.0.5" - -sax@>=0.1.1: - version "1.2.2" - resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.2.tgz#fd8631a23bc7826bef5d871bdb87378c95647828" - -send@0.1.0: - version "0.1.0" - resolved "https://registry.yarnpkg.com/send/-/send-0.1.0.tgz#cfb08ebd3cec9b7fc1a37d9ff9e875a971cf4640" - dependencies: - debug "*" - fresh "0.1.0" - mime "1.2.6" - range-parser "0.0.4" - -should@~1.1.0: - version "1.1.1" - resolved "https://registry.yarnpkg.com/should/-/should-1.1.1.tgz#6d53421aff1b0672bc5bb4755a075606f58eba2d" - -string_decoder@~0.10.x: - version "0.10.31" - resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-0.10.31.tgz#62e203bc41766c6c28c9fc84301dab1c5310fa94" - -thumbprint@0.0.1: - version "0.0.1" - resolved "https://registry.yarnpkg.com/thumbprint/-/thumbprint-0.0.1.tgz#55e86f9a9b14efb45b15c039645d47b6226bb777" - -type-detect@0.1.1: - version "0.1.1" - resolved "https://registry.yarnpkg.com/type-detect/-/type-detect-0.1.1.tgz#0ba5ec2a885640e470ea4e8505971900dac58822" - -uid2@0.0.x: - version "0.0.3" - resolved "https://registry.yarnpkg.com/uid2/-/uid2-0.0.3.tgz#483126e11774df2f71b8b639dcd799c376162b82" - -wsfed@~0.3.5: - version "0.3.11" - resolved "https://registry.yarnpkg.com/wsfed/-/wsfed-0.3.11.tgz#1e92602eace3de04ac2c4436c54545d3fe5341fc" - dependencies: - ejs "~0.8.3" - saml "~0.4.1" - thumbprint "0.0.1" - -xml-crypto@0.0.13: - version "0.0.13" - resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-0.0.13.tgz#6d50ac4d9ebd513e39bcc959a04b4ac5cfc3085a" - dependencies: - xmldom ">=0.1.8" - -"xml-crypto@https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d": - version "0.0.18" - resolved "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d#3ebbd8aadf134276ea8547af0cfd4f7e7fa13d07" - dependencies: - xmldom "git+https://github.com/yaronn/xmldom.git" - xpath.js ">=0.0.3" - -xml-crypto@~0.0.17: - version "0.0.23" - resolved "https://registry.yarnpkg.com/xml-crypto/-/xml-crypto-0.0.23.tgz#2ace8859e9ebd0ef78cdd8ce0da29306f2699460" - dependencies: - xmldom "=0.1.16" - xmldom-fork-fixed ">=0.0.1" - xpath.js ">=0.0.3" - -xml-encryption@0.11.0: - version "0.11.0" - resolved "https://registry.yarnpkg.com/xml-encryption/-/xml-encryption-0.11.0.tgz#458c2cb7d0300ff62d304c74eb3ded08ca97456b" - dependencies: - async "^2.1.5" - ejs "^2.5.6" - node-forge "^0.7.0" - xmldom "~0.1.15" - xpath "0.0.24" - -xml2js@0.1.x: - version "0.1.14" - resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.1.14.tgz#5274e67f5a64c5f92974cd85139e0332adc6b90c" - dependencies: - sax ">=0.1.1" - -xmldom-fork-fixed@>=0.0.1: - version "0.0.1" - resolved "https://registry.yarnpkg.com/xmldom-fork-fixed/-/xmldom-fork-fixed-0.0.1.tgz#b0cdba157a579d1b6eb471c9615bc8e512c5a28b" - -xmldom@=0.1.15: - version "0.1.15" - resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.15.tgz#b3048062f1bdd52edc421424459f06dceeb2f94d" - -xmldom@=0.1.16: - version "0.1.16" - resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.16.tgz#cf2602832b1ab5c3e6813fca08fe70196ba15e8c" - -xmldom@>=0.1.8, xmldom@~0.1.15: - version "0.1.27" - resolved "https://registry.yarnpkg.com/xmldom/-/xmldom-0.1.27.tgz#d501f97b3bdb403af8ef9ecc20573187aadac0e9" - -"xmldom@git+https://github.com/yaronn/xmldom.git": - version "0.1.16" - resolved "git+https://github.com/yaronn/xmldom.git#68768a6a31f55b0737d7beb88807bc80146b2651" - -"xmldom@https://github.com/auth0/xmldom/tarball/master": - version "0.1.19" - resolved "https://github.com/auth0/xmldom/tarball/master#62af710fc82d42956d8e6918bd1bacf85163cb37" - -xpath.js@>=0.0.3: - version "1.0.7" - resolved "https://registry.yarnpkg.com/xpath.js/-/xpath.js-1.0.7.tgz#7e94627f541276cbc6a6b02b5d35e9418565b3e4" - -xpath@0.0.24: - version "0.0.24" - resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.24.tgz#1ade162e1cc523c8d39fc7d06afc16ea216f29fb" - -xpath@0.0.5: - version "0.0.5" - resolved "https://registry.yarnpkg.com/xpath/-/xpath-0.0.5.tgz#454036f6ef0f3df5af5d4ba4a119fb75674b3e6c" - -xtend@~2.0.3: - version "2.0.6" - resolved "https://registry.yarnpkg.com/xtend/-/xtend-2.0.6.tgz#5ea657a6dba447069c2e59c58a1138cb0c5e6cee" - dependencies: - is-object "~0.1.2" - object-keys "~0.2.0" From e92272d1e9cbbaa4ed6a1914f75d9874e8d201ab Mon Sep 17 00:00:00 2001 From: jhiner Date: Sat, 3 Jun 2017 09:17:14 -0400 Subject: [PATCH 199/203] Add support for ProviderName option --- lib/passport-wsfed-saml2/samlp.js | 3 ++- test/samlp.tests.js | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 98deff1..476023f 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -102,7 +102,8 @@ Samlp.prototype = { ProtocolBinding: options.protocolBinding || BINDINGS.HTTP_POST, ForceAuthn: options.forceAuthn, AssertServiceURLAndDestination: assert_and_destination, - AuthnContext: options.authnContext || '' + AuthnContext: options.authnContext || '', + ProviderName: options.providerName || '' }; if (options.requestContext) { diff --git a/test/samlp.tests.js b/test/samlp.tests.js index b4ce3fb..a9a748e 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -499,6 +499,33 @@ describe('samlp (functional tests)', function () { describe('samlp (unit tests)', function () { + describe('samlrequest with template', function() { + it('should use providername option', function(done) { + var samlp = new Samlp({ + identityProviderUrl: server.identityProviderUrl, + requestTemplate: '@@Issuer@@', + protocol: 'samlp', + providerName: 'Some name' + }); + samlp.getSamlRequestParams({}, function(err, params) { + expect(params).to.have.property('SAMLRequest'); + var SAMLRequest = params.SAMLRequest; + + zlib.inflateRaw(new Buffer(SAMLRequest, 'base64'), function (err, buffer) { + if (err) return done(err); + + var request = buffer.toString(); + var doc = new xmldom.DOMParser().parseFromString(request); + + expect(doc.documentElement.getAttribute('ProviderName')) + .to.equal('Some name'); + + done(); + }); + }); + }); + }); + describe('extractAssertion', function () { var samlpResponse = 'urn:fixture-testurn:fixture-test12345678https://auth0-dev-ed.my.salesforce.com12345678jfoo@gmail.comJohn FooJohnFoourn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedYkV3DdlEa19Gb0eE3jTYTVPalV1kZ88fbIv4blO9T1Y=ZiINpNlahQlp1JbgFsamI1/pZ+zcPsZboESVayxBMtrUBYNC4IG2VBnqku7paDxJQ7624CvcNzAYWYCv/2/c67Bv6YhQwK1rb4DPEL6OvbI8FNkYAhTNNw5UhUTEMjnJ7AncV/svUTYyIOyktuCvQh3tR4teZJV+BM3IKj9vRQQbCRNSUVHJEe963ma5HcCyo+RhIKU1pm4+ycswOlY9F115roKB4RNRJLs7Z5fyzhbOoCUujR9MMKHHq+CWaYvh5SkjaH1wMorlPlJtq5dhTZtDRhj4HwxYpCG5b4NF2vp+Jpni4dDFKou0Lzk0k6ueCJGcNHfidfEB3RB20Hed2g==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo='; From cb87960fe826394ad2d813ec6b12aaabc1f4c6ba Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Thu, 8 Jun 2017 20:43:20 +0200 Subject: [PATCH 200/203] Bumped xml-crypto to the latest version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d1844c1..ad09df8 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,7 @@ "jsonwebtoken": "~5.0.4", "passport-strategy": "^1.0.0", "uid2": "0.0.x", - "xml-crypto": "https://github.com/auth0/xml-crypto/tarball/064dc3464669d2ce567a01bff7a4a073420dda6d", + "xml-crypto": "^0.10.1", "xml-encryption": "0.11.0", "xml2js": "0.1.x", "xmldom": "https://github.com/auth0/xmldom/tarball/master", From 56732c6e6c4152551411b53446bae105eae5ad49 Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Thu, 8 Jun 2017 21:07:08 +0200 Subject: [PATCH 201/203] 2.13.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index ad09df8..89be66d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-wsfed-saml2", - "version": "2.12.0", + "version": "2.13.0", "description": "SAML2 Protocol and WS-Fed library", "scripts": { "test": "mocha --reporter spec --recursive" From 85342f08a9f457c314eea7ac57eace4ca3d4910c Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Wed, 14 Jun 2017 17:06:29 +0200 Subject: [PATCH 202/203] Uncommented errors, moved flag after validation --- lib/passport-wsfed-saml2/saml.js | 7 ++++--- lib/passport-wsfed-saml2/samlp.js | 9 ++++++--- test/interop.tests.js | 12 +++++------- test/saml20.tests.js | 2 +- test/samlp.tests.js | 18 ++++++++++++++---- 5 files changed, 30 insertions(+), 18 deletions(-) diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index 9c4bb18..94220cb 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -188,7 +188,6 @@ SAML.prototype.validateRecipient = function(samlAssertion, recipientUrl){ var recipient = subjectConfirmationData[0].getAttribute('Recipient'); - // Used start with to ignore posible query strings var valid = !recipient || recipient === recipientUrl; if (!valid){ @@ -334,8 +333,10 @@ SAML.prototype.parseAssertion = function(samlAssertion, callback) { return callback(new Error('Audience is invalid. Configured: ' + self.options.realm), null); } - if (self.options.checkRecipient && !self.validateRecipient(samlAssertion, self.options.recipientUrl)) { - // return callback(new Error('Recipient is invalid. Configured: ' + self.options.recipientUrl), null); + if (!self.validateRecipient(samlAssertion, self.options.recipientUrl)) { + if (self.options.checkRecipient){ + return callback(new Error('Recipient is invalid. Configured: ' + self.options.recipientUrl), null); + } } var profile = self.parseAttributes(samlAssertion, version); diff --git a/lib/passport-wsfed-saml2/samlp.js b/lib/passport-wsfed-saml2/samlp.js index 0f8c66b..755fe04 100644 --- a/lib/passport-wsfed-saml2/samlp.js +++ b/lib/passport-wsfed-saml2/samlp.js @@ -332,12 +332,15 @@ Samlp.prototype = { // protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the // location at which the message was received. If it does not, the request MUST be discarded. Some // protocol bindings may require the use of this attribute (see [SAMLBind]). - if (self.options && self.options.checkDestination && destination && destination !== self.options.destinationUrl){ - self.eventEmitter.emit('destintationValidationFailed', { + if (destination && destination !== self.options.destinationUrl){ + self.eventEmitter.emit('destinationValidationFailed', { configuredDestination: self.options.destinationUrl, assertionDestination: destination }); - // return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); + + if (self.options && self.options.checkDestination){ + return callback(new Error('Destination endpoint ' + destination + ' did not match ' + self.options.destinationUrl)); + } } // check status diff --git a/test/interop.tests.js b/test/interop.tests.js index ec26480..631b2c7 100644 --- a/test/interop.tests.js +++ b/test/interop.tests.js @@ -315,13 +315,11 @@ describe('interop', function () { var sm = new SamlPassport(samlOptions); var sp = new samlp(samlpOptions, sm); - sp.validateSamlResponse(new Buffer(response, 'base64').toString(), - function (err){ - console.log(err); - assert.ok(err); - expect(err.toString()).to.equal('Error: Invalid thumbprint (configured: ANOTHER_THUMB. calculated: CD78CA598A6FB28A4D70EF6846C1141666A24240)'); - done(); - }); + sp.validateSamlResponse(new Buffer(response, 'base64').toString(), function (err){ + assert.ok(err); + expect(err.toString()).to.equal('Error: Invalid thumbprint (configured: ANOTHER_THUMB. calculated: CD78CA598A6FB28A4D70EF6846C1141666A24240)'); + done(); + }); }); it('should validate an assertion from a WS-Fed STS using WS-Trust 1.3 namespaces', function (done) { diff --git a/test/saml20.tests.js b/test/saml20.tests.js index 2223dc9..1764f20 100644 --- a/test/saml20.tests.js +++ b/test/saml20.tests.js @@ -139,7 +139,7 @@ describe('saml 2.0 assertion', function () { }); - it.skip('should validate recipent', function (done) { + it('should validate recipent', function (done) { options.lifetimeInSeconds = 600; options.recipient = 'foo'; var signedAssertion = saml20.create(options); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 6b3bdd4..13078da 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -712,7 +712,7 @@ describe('samlp (unit tests)', function () { }); }); - it.skip('should return error for Destination does not match', function(done){ + it('should return error for Destination does not match', function(done){ var samlp = new Samlp({ destinationUrl: 'invalid' }); samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { expect(err).to.be.ok; @@ -747,7 +747,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should return profile even if the namespace is in respsonse element', function(done){ + it('should return profile even if the namespace is in response element', function(done){ var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); var samlResponse = ` http://cidmfed.chop.edu/oam/fed @@ -759,6 +759,8 @@ describe('samlp (unit tests)', function () { cert: cert, thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', checkExpiration: false, + checkDestination: false, + checkRecipient: false, realm: 'urn:auth0:avillachlab:CHOP' }; var samlp = new Samlp(options, new Saml(options)); @@ -769,7 +771,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should return profile even if the namespace is in respsonse element and assertion is signed', function(done){ + it('should return profile even if the namespace is in response element and assertion is signed', function(done){ var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); var samlResponse = ` http://cidmfed.chop.edu/oam/fed @@ -785,6 +787,8 @@ describe('samlp (unit tests)', function () { cert: cert, thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', checkExpiration: false, + checkDestination: false, + checkRecipient: false, realm: 'urn:auth0:avillachlab:CHOP' }; var samlp = new Samlp(options, new Saml(options)); @@ -795,7 +799,7 @@ describe('samlp (unit tests)', function () { }); }); - it('should return profile even if the namespace is in respsonse element', function(done){ + it('should return profile even if the namespace is in response element', function(done){ var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); var samlResponse = ` http://cidmfed.chop.edu/oam/fed @@ -807,6 +811,8 @@ describe('samlp (unit tests)', function () { cert: cert, thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', checkExpiration: false, + checkDestination: false, + checkRecipient: false, realm: 'urn:auth0:avillachlab:CHOP' }; var samlp = new Samlp(options, new Saml(options)); @@ -860,6 +866,8 @@ describe('samlp (unit tests)', function () { thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', checkExpiration: false, + checkDestination: false, + checkRecipient: false, realm: 'urn:auth0:fireglass:putnam' }; var samlp = new Samlp(options, new Saml(options)); @@ -886,6 +894,8 @@ describe('samlp (unit tests)', function () { cert: cert, thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', checkExpiration: false, + checkDestination: false, + checkRecipient: false, realm: 'urn:auth0:safarijv:IBM-Prod' }; var samlp = new Samlp(options, new Saml(options)); From 556c8c9e26ef9bddae1bfc1c18ab10a2b74607fa Mon Sep 17 00:00:00 2001 From: Marcos Castany Date: Fri, 9 Jun 2017 20:04:24 +0200 Subject: [PATCH 203/203] Separated functional tests from unit tests and added extra validation --- lib/passport-wsfed-saml2/saml.js | 10 +- test/samlp.tests.js | 451 +------------------------------ test/samlp.unit.tests.js | 222 +++++++++++++++ 3 files changed, 232 insertions(+), 451 deletions(-) create mode 100644 test/samlp.unit.tests.js diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js index b6c338e..aee70fa 100644 --- a/lib/passport-wsfed-saml2/saml.js +++ b/lib/passport-wsfed-saml2/saml.js @@ -93,12 +93,20 @@ SAML.prototype.validateSignature = function (xml, options, callback) { return callback(new Error('Signature check errors: ' + sig.validationErrors)); } + var uri = sig.references && sig.references[0].uri; // might not be 0 - depending on the document you verify + var id = (uri[0] === '#') ? uri.substring(1) : uri; + + // xml.documentElement is for SAMLResponses (the root ekement). We use the xml part when we are not passing the root element (SAML Assertion) + var element = xml.documentElement || xml; + if (element.getAttribute('ID') != id && element.getAttribute('Id') != id && element.getAttribute('id') != id && element.getAttribute('AssertionID') != id){ + return callback(new Error('The ' + element.nodeName + ' element was not the one verified by the signature')); + } + if (options.cert) { return callback(); } if (options.thumbprints) { - var valid_thumbprint = options.thumbprints.some(function (thumbprint) { return self.calculatedThumbprint.toUpperCase() === thumbprint.toUpperCase(); }); diff --git a/test/samlp.tests.js b/test/samlp.tests.js index 6097e01..ca49ce4 100644 --- a/test/samlp.tests.js +++ b/test/samlp.tests.js @@ -571,455 +571,6 @@ describe('samlp (functional tests)', function () { }); }); -describe('samlp (unit tests)', function () { - - describe('samlrequest with template', function() { - it('should use providername option', function(done) { - var samlp = new Samlp({ - identityProviderUrl: server.identityProviderUrl, - requestTemplate: '@@Issuer@@', - protocol: 'samlp', - providerName: 'Some name' - }); - samlp.getSamlRequestParams({}, function(err, params) { - expect(params).to.have.property('SAMLRequest'); - var SAMLRequest = params.SAMLRequest; - - zlib.inflateRaw(new Buffer(SAMLRequest, 'base64'), function (err, buffer) { - if (err) return done(err); - - var request = buffer.toString(); - var doc = new xmldom.DOMParser().parseFromString(request); - - expect(doc.documentElement.getAttribute('ProviderName')) - .to.equal('Some name'); - - done(); - }); - }); - }); - }); - - describe('extractAssertion', function () { - - var samlpResponse = 'urn:fixture-testurn:fixture-test12345678https://auth0-dev-ed.my.salesforce.com12345678jfoo@gmail.comJohn FooJohnFoourn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedYkV3DdlEa19Gb0eE3jTYTVPalV1kZ88fbIv4blO9T1Y=ZiINpNlahQlp1JbgFsamI1/pZ+zcPsZboESVayxBMtrUBYNC4IG2VBnqku7paDxJQ7624CvcNzAYWYCv/2/c67Bv6YhQwK1rb4DPEL6OvbI8FNkYAhTNNw5UhUTEMjnJ7AncV/svUTYyIOyktuCvQh3tR4teZJV+BM3IKj9vRQQbCRNSUVHJEe963ma5HcCyo+RhIKU1pm4+ycswOlY9F115roKB4RNRJLs7Z5fyzhbOoCUujR9MMKHHq+CWaYvh5SkjaH1wMorlPlJtq5dhTZtDRhj4HwxYpCG5b4NF2vp+Jpni4dDFKou0Lzk0k6ueCJGcNHfidfEB3RB20Hed2g==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo='; - var samlpReponseWithEncryptedAssertion = ' https://adfs.fmi.ch/adfs/services/trust CN=fmi-test.auth0.com 17575331292066593326 PfbLmL7Eb2NL5lzxyuEuKolgDtHjAuVDV9AaDKp1UqxSKXPGQaF3FTFt7Gl7FRmEdfjMD4xyMII4c6itasV7/N1WIXVw6j9VpvBZ2WPH4lT2gHVXEnCSko+rlk0OfFQN/XFY1HZrPb0PeSYtbuR6Fe2KDLVYYSElrGyn9lbU/zgLB+cV3OiidMamymcTjBYxr3+wv8zhEl2jDYd/04wULeDydhNpA8KFzjy/DQwE4GwlOfuCCtZboai1OXA3++KEuwH2QrC5lRpmnpwV1OJj+ozWDmJrRLA/vpxakQfMzjBcMoBx5wy0dvDaXcjMZk2aaOUhydSC+vd5UYD3npVlog== AZX6tZLTBQJTsrbXGj1QaDf9ZnMigNI3ySiH7deoK0y0M9gkzC6+7tzie7IbavR9QkdLlB0NCnokPFYyxS/w3NsCT3qDk9o45f4LNVqBel1sVagG1rNFcjMsH17V0Phj5idh/acvIx8s22XDC44XXeo0/FT3ZC1HPBBwS+c4UAFI3OiYux61gzA4zg72iZoqs9Wt6ZpJdKn3QtrOCYGQmKrO6lKzgHLkHgB4Lk8Th24OqfeRWdau4j91z28gZ4teSlp9oARgXrrGjdFneXivTSTdDfMwKOmCr5eVfu5jUBCjeaL5DEU/mlpfUwvnQQVOq+rYimq4+Yp1eRXr69diRJ73Ne+7iL7CzqXDLoYuz+ZMdGE2hEU7L0nn1mnmPaGtbdtL92bj2dALNeshWJjjBw7Qem/GjJFEHKzsd1OfhMRuNlfpw6gFku3/+QcYac/FJYzxOIfEzKOQWL8GMLm96CZ0J2Par2yEM9oi4fDtRocjyAhX//JSgiB5HDS3kxDc4HNGSqOgmmXGi6vQR9+82fIlnRP7iO1xD6o61sKHBOMI22bMKouyx0XlKoNHPuPMQGmHfgbty66KFgqkLih5nLX3TzqNommle9ZwvcIvgZ2PWRmiLVtfW/Yc3584zp1CzF/VwqOXCalTkgEObuSXEODU4JpGVAViPCVyriVBu1kWmws/kpfaTUe+brI1m+hp+0tpjKVh+VoesXR+9iPMOHbX39Slmah6zcjU/UjQAN+rtF3SSBMrRd1Fc9VD2fevvD1YvPU9LUAo1BkS7e6ig0jcsX4TC+tdNR+wWiNPhYclIuo06Nd4Uk1f/WkdV1+cRDIobdVabiq6EXSbaJAzbCepCJcOn8dNr0301Os4SIi0EtEQO3wk/Sx7e2UVlmRofK8R3p8TupyO0skMhUzRmlFmsI7kFpKUfcmtshamt9JVN8qIQCowxPgRmy0T67swJgBFdRX5C34CXxNJvGw8Eld7TDoiuQa4FxN2T7ebjaAsBQGYxsBPaGQQFNFTptGNsC+2YDFKV82rftCSyoZiAg3wnz/qjcsB02TOIGtu2I9M/lspl+N4Cb8adludm+YnfK6yRIUFzx2Y7N3hh4WKwvfK8IJuckg+dKC3IOyW2L0dUTScUNB9nB/2jxYLXyiqyT+B+/83BVRBjitFw3F8web3i8iLmMFJswnbL3ONYzUbW7Gu67y+LSHo3yRIneVCJrj91ihvBUMvae7kgoQUVj4vYFMPsykJaFypb59OXe6CyE1bAOHcKnPLRC7tix+TeSgQhHMIqr7yPZXHEhX3FfduxsrrnN4QYIqJOYlirqTh0SdwpT7Y2W02iEdEDBNyJs7kKH4ArRUrSu8xFi/vaNMB896lRy+hMAxdtM131MRV+eY68rNhAb275a3cpsYONRJPym4CRegV48rr6yFHm1vhMoXo2eNBIoQHm4wUInxwhYw0yt/9WM2AU3UwIOdCTHwJQeLWgJu4PDA4O0Tmrm2bS4kFEM4ya3Y6KXhjVHyoxkHzi+PYVNzEKdobhxOP2+1n/5+/SU84+WqcsQxRtoXFloEr1GMSt9L1di4w9uuzYngM49P63CQBMQVi8hz4fPrkZzm/V3MwZ7aOIm9/JTr2IPeuJYE7LHh3VDB2uirFGfrooHncOKDQfAqgSrAF7ztSYgY3DDuBcBMQ3uS8rMqrH0Uwza1hF7p+7dfUZyzt7OF9zGBJmOWK2YLkCL+QiCxJMTG+til3AyHwRVmACdL6uNmBsd31Sr673YiFaPTZC2Q6wu48HYZQ0z5qJwOpBm5EHDuVDCwT/GqkTwQD5182f5jQKX5eWIa9gehuKWrTfOZc0DU93yfE1ZGXJq27RrAv4Lzfh59lRvasGL3PZ+rRLuALgKQ5vBgJXlgk1T/hHP9sB1BAG8OpwQoQOFlx4y8kZLzxQmtRBb9BaTzl43CYLhsXgPBsepRSL3RAyG123LgDRz56TU/b6v8Wuu/GzkC7Afr237HazCiRG/kpKqYAEEWKjHPVzKFnJpF1EiuaNxBncSMPc/zn5i80oS6aTT4yQ0yxyIxKBzRGipZewnn/u3qSLy2j/z6lW1vcWEk/hdjC1HQ9ya0JJDwUB5FF308S4oK1E4gTsu3uKkKiHTYQC7Hxp4XQogjujCzWH/HvW2FsA7Na1EAkIu0KpzikcNvZ5xEBbIlmGqdsC2/9ybuQMtoxxleKRT3ZBgpuQqcYDt/iQDUaS1LpWQXN+7pg1eRy/Dwzitfq1zMO1wCrFEnvGt9WCBKAvX4+s7A9YmDPhTfdpKTQRe2df4QjkvuAtMlM4DYV6JkKj0S7Z3sjPBCzqFF93HM3KvPocHokYa0s/SJVTVkRot+EE7emGoXU82i99jMpXCjsaujTrEGawFhvNX0QhsXoUP2qWAEquRGZ7eBEUhWwHSZhdKM4/HvMa8fYklhKZ4T47b+pCSkeny3ycajy/ClUDGiBLO+Q1IN0qyOWDVAPB/+EPKVct3Bx+WzV9f57fmXZ+wfXjBHYodIfX8tRbehZtLma2h+BNenjiiSWFERrUURV1l1osL+3kuEqwewc/8ys3fGhCWj0+C2hubOUgA0yCZH8KtuJVpYvR4vjnJ8C1g6QELsWgaKWXEw58kRXP/CFAVlhoklS40+HPq5SfjaDDcUOsc2qwzNp8+0ktk1ozFJx3k2fEirRoS7q2upVuN3sCLC4hduDPPMrmStgdUsLwzg1IK+aAWQgvVThmF449nVsDVZGcVeyoB81DuCI+BCKP+apJaPcjf0f083rxEbUNMnKv6GhWl/Mkyhhnafuqq80pMS6ehm27CZSk9Snh8HxI3QMH1cbIx/iHIGOA1kP6ulV4qdwKh/KXYnu/r6JkrSBWQp/21mnJ1yWLSgiJoM+zoWzBcV92Qffjj+2yLN3wdOSaxpPX2B2jU997m4MOr46ut8pHvE4bdTbVpxIhi9f2gzv36ElT5MDTXCiS5+svShCYVEoIipwEmJMs+l/HXwR7PtOvPytSwh+eSC1Z4bTdSPhdyiCMu37tAwlK0K6WbcUQfJE7cPMs+gKgAB6m4VenDV7SQwC+ARWxKACvtBU+QTGudUE7NUHsMugCBHjYB9bKtbakycEachQykDRDkkZ1PDL03ipM8d8Gb0Tm9dYwerBg7Nmw+jt69+VqCaFtpeOc+jp+e5bWEfg/HCHchsHGIQ72RKlHKLXmFwEJ7PmzOlbNGT0Usltq+9o9vHL89mfNK6n2xbneaYyKGFzu87j5+a7caSwJ7CTCFCnq6hctC5bi1tTqQM8tkBiv1lCTcy1kB1t7WX2RpkV99jfLPZPinTI4l+CtjJF3WYNSGgK+JJwzzflL1mobgdHVFGYyERBkx/FNq5aqGSkJA0dki2i3e0liQ8hsybtpe+uX9sybKCMy6MVEoMCzGJBV2g4N/OLCC+WsXPMbJ6SqyZlNKooRtJEuwZzJb2hlWx2298AxtNTcWA+u+gxibf6GZlGcujjf2+/uUrzXRw+hBQU0O/wD5pLvXwYIuxElo02gG1XQu1RLM1qrGg5ouEg7I5TmJzOIjIhhvuGEEoQjZMqA3byJCzj9a7LBJ5ddbmB8Xp9louyJbOuJghgt835r7PfPIqA+58UqNYWkFHYt+PjPc4+DPetjKi0SmvmtxVGjM5qsRCmiabBcY5nHQGNaGIsmg0VsaauBe78LjKLnJL2IR9wgNEEBadyuWHbNtd7wsf728+o6PQzEU8LJO5DK5QvxbX3QVyZTi17nkykvsU0nVqiYZ8Wyc65XgvDjOe18ECG9xeX6vd3pJ+15we9xNJmvRvWy/RCDSt0ul9hUJiHyXRjZGxkP0VD5bWM6MO3RcWmlHwaZRP/U+7sGY1nqhYp6iBfGgKeKlCIwQLeS/n815CVCxHkhW3Vf6dANBirojH96kvcpWLKq/DaVMlmPOkHy+14kMQtZTEqgHuo0Sm/nS5ddVVj1VcFkI+CqK45a5u6Mf/EB/TTOTWTY+iRbwD/grQ2uTRmUMs3G3Fww2xtu1N5jkqm62ooU8CSkr+zVuskX1qRlavV7Z+viDbL5XGiicKf32AYL/KZSLpthpD3Y5FIDuMMXn7xlXSnXDZxbWl9GF4DeMA0pgOlT0afRo+DyLLNv0ot51w8UCX200rPUeI/U/xPaBNOXFrAvlS6syp6nG3ldiJsJMFCwtxb7vO5tSKpQXUXJ2zOnYhQjO7Ofbyfprs65ZZRCvvDh/RaCcYm0MyFmdWlTgz7cd4dkDhv8SpvhnlPoWwoUi0d9s5gxqmPWUEtVbuEMCzewU1XTcJufSP17mmF6ciofj9t6tvY588Kc0cdGMshzcYnhM6vgHrFiZQoKxE781/SBXKeNG/o6NqQYq7st8t6mwaS5Hx+1eimMCT147dnHNmkjf4TKhLw603QX9gV94owtbc38eRB8UCmgs+37J7I92Ls8W7V9sV5em/JO4K7r3cuiLBfQxkljU+cLKcvpnM65/IAAhXo88Wka3pctkejNTyo3pNbwyikekCYQ+nViSzOjXskQWbcv1ZnzbSGzQJIA7dtgDvIdvQulAveK9VQe9zpPHHomSqBzQr8cwklgC2SJoK5VH0landsMyZR/Xq/jUObUEcvd9kp+MU/OvPz61NES5cqYxCgErEzbv4jxKY9/JohKfue3f+WuQ9pwpo9AbVLTWYFl9uYvg4xM66FWcdfpSh6phv9Q8xfxZjL+2+qC0j/lD9DKB1ztHavDgyRby14iIALJHGi1t3F5JrPSib2XJL38xqIDYCX4iHKUEwwtrb51jWIhc18pLu0QNa+2z9cTrf2zPRTS2LZFbBt9RUKXhaDHTIxEKtiYKIO0fwA2xFUPZaqNfQjyLHPPo1xaOSsepf8fqZplcbphNFCxbKJ7awgZmUl1uGZ4gVo6USSjEXBPTFjJnqV+AhF484petGC05kONnLKPIZ+EQWdRBnQ/yI1T2HY3uoj0QI6qzUFJPg9ujr3KoJvPdOw2Y26PV1J6n+0iEl0whnmD5YZkhetkShbGKILVrLwjkrssuBncUMiWNHPxq19gmGoUEyNs6jWvUSIbgUDa0lsBAOffLRZnVVp0/cVNT6ba7ZnGVWQGkW8Lh6kW/nscf7gKaWoV5RQsP4jAv3GhOO72U8Xvi3v7go21NmfARGq/gTe3XWgc+d3+A0UcHxyDGiUxnr84EHi97GzWA6qtpUWMoGFKNzna/IwAb0iJVBjgJV2vou3R0tvQsHrb6k3WIiUmpIgIkVbC82BzbU3MBKnnljmRpnoUBghkLpf6jjtmteepyezSpCrnzLU3JBJnoXnvoVpst3fA/ByxMUsVpWmS7dT1nQmfifXY056vi8IjeMG0oKVrZlKwZaV2EU0vIqkm/gSgko/h7PXKv/mXDz6hhcft2MWWhEZt5b+40dahinDBhzlRvKcCzMuolDlKMoO7bAjH434ZJQ0LYZX7VSvU5obosJQeZvSE98Gmh09ylYydK03FDSqnK0s3y3Dlo4UzdPhSzJUXk6qZwRaIyReUrHx+0yNgV6JG9gYfabT96dF0mGJdrA6Eitwziot1fEjsKziZ71T4+Kdpn385fjpK1ljQE1amAxYI8Rcs56hoqpmq2QWINQnDXUPpq+jjAf7XnCX/wP9iappXeA1cIN4pTqEOr9fjJsO38gRyxPcSl9ak85+HWyfKx66TloDW/OOHS+M8pX913u/rLKx9Bwe64QCXVY9wRV9aEQv2+RPe/i91lCU5ZqFZclpsq/qcHLlMAk3CNXR/mOHc1tlGT5u7Ds12yVy3RQTLd8kh9p5b4PCdnI87Mp4cPONhkZfZYTjNUd9e/mDxDwk20YjWytDRrxC+o/N8rqEte8+EAPVjB8SsUuN/tX3Wi9mEZloR+MRLfX9jO7903MDUGAL+JOPZRzsLvllNjInQ589OUZxtfXVSVmts++2lxZ8AWtxmjZcuxu3WfF1dZ5WxbInu611Fr1tU+sm0sFFiryN0m7XQgs= '; - - it('should returns assertion', function (done) { - var samlp = new Samlp({}); - samlp.extractAssertion(samlpResponse, function (err, assertion) { - if (err) { done(err); } - - var doc = new xmldom.DOMParser().parseFromString(assertion.toString()); - var attributes = doc.documentElement.getElementsByTagName('saml:Attribute'); - expect(attributes.length).to.equal(5); - expect(attributes[0].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'); - expect(attributes[0].firstChild.textContent).to.equal('12345678'); - expect(attributes[1].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'); - expect(attributes[1].firstChild.textContent).to.equal('jfoo@gmail.com'); - expect(attributes[2].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'); - expect(attributes[2].firstChild.textContent).to.equal('John Foo'); - expect(attributes[3].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'); - expect(attributes[3].firstChild.textContent).to.equal('John'); - expect(attributes[4].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'); - expect(attributes[4].firstChild.textContent).to.equal('Foo'); - done(); - }); - }); - - it('should throws error if EncryptedAssertion is present but options.encryptionKey was not specified', function (done) { - var samlp = new Samlp({}); - samlp.extractAssertion(samlpReponseWithEncryptedAssertion, function (err) { - expect(err.message).to.equal('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.'); - done(); - }); - }); - - it('should returns decrypted assertion', function (done) { - var samlp = new Samlp({ - decryptionKey: fs.readFileSync(__dirname + '/test-decryption.key') - }); - - samlp.extractAssertion(samlpReponseWithEncryptedAssertion, function (err, assertion) { - if (err) { done(err); } - - var doc = new xmldom.DOMParser().parseFromString(assertion.toString()); - var attributes = doc.documentElement.getElementsByTagName('Attribute'); - expect(attributes.length).to.equal(8); - expect(attributes[0].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'); - expect(attributes[1].getAttribute('Name')).to.equal('urn:oid:0.9.2342.19200300.100.1.3'); - expect(attributes[2].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.4'); - expect(attributes[2].firstChild.textContent).to.equal('fmi.ch'); - expect(attributes[3].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.5'); - expect(attributes[3].firstChild.textContent).to.equal('others'); - expect(attributes[4].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'); - expect(attributes[4].firstChild.textContent).to.equal('Pan'); - expect(attributes[5].getAttribute('Name')).to.equal('urn:oid:2.5.4.4'); - expect(attributes[5].firstChild.textContent).to.equal('Pan'); - expect(attributes[6].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'); - expect(attributes[6].firstChild.textContent).to.equal('Peter'); - expect(attributes[7].getAttribute('Name')).to.equal('urn:oid:2.5.4.42'); - expect(attributes[7].firstChild.textContent).to.equal('Peter'); - done(); - }); - }); - - }); - - describe('validateSamlResponse', function(){ - var samlpResponseWithStatusResponder = 'urn:fixture-test'; - var samlpResponseWithStatusResponderWithMessage = 'urn:fixture-testspecific error message'; - var samlpResponseWithStatusResponderAndAuthnFailed = 'urn:fixture-test'; - var samlpResponseWithStatusResponderAndAuthnFailedWithMessage = 'urn:fixture-testspecific error message'; - var samlpResponseWithStatusRequesterWithMessage = 'urn:fixture-testsignature required'; - var samlpResponseWithStatusRequesterWithoutMessage = 'urn:fixture-test'; - var samlpResponseWithStatusVersionMismatchWithMessage = 'urn:fixture-testversion mismatch error'; - var samlpResponseWithStatusVersionMismatchWithoutMessage = 'urn:fixture-test'; - var samlpResponseWithStatusNotMappedStatus = 'urn:fixture-test'; - - it('shuold return error for AuthnFailed status with generic message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailed, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('The responding provider was unable to successfully authenticate the principal'); - done(); - }); - }); - - it('shuold return error for AuthnFailed status with specific message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailedWithMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('specific error message'); - done(); - }); - }); - - it('should return error for Responder status with generic message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusResponder, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('The request could not be performed due to an error on the part of the SAML responder or SAML authority'); - done(); - }); - }); - - it('should return error for Responder status with specific message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('specific error message'); - done(); - }); - }); - - it('should return error for Requester status with specific message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusRequesterWithMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('signature required'); - done(); - }); - }); - - it('should return error for Requester status with default message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusRequesterWithoutMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('The request could not be performed due to an error on the part of the requester'); - done(); - }); - }); - - it('should return error for VersionMismatch status with specific message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusVersionMismatchWithMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('version mismatch error'); - done(); - }); - }); - - it('should return error for VersionMismatch status with default message', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusVersionMismatchWithoutMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('AuthenticationFailedError'); - expect(err.message).to.equal('The SAML responder could not process the request because the version of the request message was incorrect.'); - done(); - }); - }); - - it('should return \'saml response does not contain an Assertion element\' error', function(done){ - var samlp = new Samlp({ checkDestination: false }); - samlp.validateSamlResponse(samlpResponseWithStatusNotMappedStatus, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('Error'); - expect(err.message).to.equal('saml response does not contain an Assertion element (Status: urn:oasis:names:tc:SAML:2.0:status:Success)'); - done(); - }); - }); - - it('should return error for Destination does not match', function(done){ - var samlp = new Samlp({ destinationUrl: 'invalid' }); - samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('Error'); - expect(err.message).to.equal('Destination endpoint https://auth0-dev-ed.my.salesforce.com did not match invalid'); - done(); - }); - }); - - it('should return error for if isValidResponseID fails', function(done){ - var samlp = new Samlp({ destinationUrl: 'invalid', isValidResponseID: function(samlResponseID, done) { - return done(new Error('Invalid response id')) - } }); - samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('Error'); - expect(err.message).to.equal('Invalid response id'); - done(); - }); - }); - - it('should return error for if isValidInResponseTo fails', function(done){ - var samlp = new Samlp({ destinationUrl: 'invalid', isValidInResponseTo: function(inReponseTo, done) { - return done(new Error('Invalid inResponseTo')) - } }); - - samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { - expect(err).to.be.ok; - expect(err.name).to.equals('Error'); - expect(err.message).to.equal('Invalid inResponseTo'); - done(); - }); - }); - - it('should return profile even if the namespace is in response element', function(done){ - var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); - var samlResponse = ` -http://cidmfed.chop.edu/oam/fed - - - wFK//X7GAw5PBQHntPWb8OThZEE=tIb8Z6OWq1T0sws6JFdAbUR6FEBk3I7NkXgk5wCt42tMjPq343j8aj1xwJqsbYvLTvAtxEgmohgxvcJ7oADiqXBgDQ6HJNxe3U6q3NGO6Q7XhmtHMFN+bf+BlT7Hll6Ma11BfYNi6rKnROqJTL6ezm53jLNnqk9En/GYwcAKmGI1C1xlJ9cQDuHzA6w57TexdAOXnBVMi50oAoAG8taUDWtppQwfuuCF+D7Nz5QoUNUKE/ExtTjriBg04RXv6gFTKqYbeb4qDMIqf6hgpVd1xroZipGfQhuHocjoUKQSfSP8BDYDTZoxVIiEBUHP8RRK5Xof45x0+fYj1+O7kg8VpA== -MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=http://cidmfed.chop.edu/oam/fedHankeeJ@email.chop.eduurn:auth0:avillachlab:CHOPLDAPScheme_GRIN`; - var options = { - cert: cert, - thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', - checkExpiration: false, - checkDestination: false, - checkRecipient: false, - realm: 'urn:auth0:avillachlab:CHOP' - }; - var samlp = new Samlp(options, new Saml(options)); - samlp.validateSamlResponse(samlResponse, function (err, profile) { - if (err) return done(err); - expect(profile).to.be.ok; - done(); - }); - }); - - it('should return profile even if the namespace is in response element and assertion is signed', function(done){ - var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); - var samlResponse = ` -http://cidmfed.chop.edu/oam/fed - - - rbOfDvvLSUqfujYcW1b0L8alwf0=MYHsKJvyvkDeA8w485PV4QbQszIQoTeWb+LdRkk9xofVgF325wPnBM7rF+MeZ9ft13nhuW3JpmhKLJnWeQzzpDCxJe8yW1DyE/kHz+FEMOt4d4gKAUBuS5dyh307dhOFYnDOCx9r/oRnFCzsuFXuI4xR8DjRVw9w/8ICCRCFzOK/LZsgpSwmym1Crmm+nXpPuOzkSJl1MUs9UdGAyo0Y0MyXLKybvvZbTyKAIezQFSdr2wz4h1y9IOJvpGrgv3Bu7zN6tjIJQLmEdVk7ugYaQ1ro9jD0Fjk3NgERFnDdEAmo8calIS9VW3pW2g20322Dayky6feumpJYzd4ZrAvoVA== -MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=http://cidmfed.chop.edu/oam/fed - - - zHHFFB4JHVjYEJyJXVk7C4QAnL8=O9i/ioG9MCc1L13hj2J1ouliDU+oE8TE2OCagGjrn3bZdpST2P3bJtaA1vSZolso1eTjn2gyaP3Va2z8CeRqfhd+flusKQJetVOBhdaLEu5Bvw6nufWhLolfNn1PmGdEDdCUMiY9NC1nwIZ8szvGL54Ca9xvjso+ocY/KGk4jXHygJy27IoLSj18YK3vXPJmC97XzKUmyLOMIBi9wf+hSZRkWTB5ejDFUfnzLP/vBhqRUPYxafv1YSNtjbRPO3IynodsKqtqWgvcuzCGqP/tZKZ185mxtlo2qPRI11Y4x3Mg0bv0HABnIwFqP47a2XYeeMY71c/Er766xjPzIF0QNA== -MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=HankeeJ@email.chop.eduurn:auth0:avillachlab:CHOPLDAPScheme_GRIN`; - var options = { - cert: cert, - thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', - checkExpiration: false, - checkDestination: false, - checkRecipient: false, - realm: 'urn:auth0:avillachlab:CHOP' - }; - var samlp = new Samlp(options, new Saml(options)); - samlp.validateSamlResponse(samlResponse, function (err, profile) { - if (err) return done(err); - expect(profile).to.be.ok; - done(); - }); - }); - - it('should return profile even if the namespace is in response element', function(done){ - var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); - var samlResponse = ` -http://cidmfed.chop.edu/oam/fed - - - wFK//X7GAw5PBQHntPWb8OThZEE=tIb8Z6OWq1T0sws6JFdAbUR6FEBk3I7NkXgk5wCt42tMjPq343j8aj1xwJqsbYvLTvAtxEgmohgxvcJ7oADiqXBgDQ6HJNxe3U6q3NGO6Q7XhmtHMFN+bf+BlT7Hll6Ma11BfYNi6rKnROqJTL6ezm53jLNnqk9En/GYwcAKmGI1C1xlJ9cQDuHzA6w57TexdAOXnBVMi50oAoAG8taUDWtppQwfuuCF+D7Nz5QoUNUKE/ExtTjriBg04RXv6gFTKqYbeb4qDMIqf6hgpVd1xroZipGfQhuHocjoUKQSfSP8BDYDTZoxVIiEBUHP8RRK5Xof45x0+fYj1+O7kg8VpA== -MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=http://cidmfed.chop.edu/oam/fedHankeeJ@email.chop.eduurn:auth0:avillachlab:CHOPLDAPScheme_GRIN`; - var options = { - cert: cert, - thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', - checkExpiration: false, - checkDestination: false, - checkRecipient: false, - realm: 'urn:auth0:avillachlab:CHOP' - }; - var samlp = new Samlp(options, new Saml(options)); - samlp.validateSamlResponse(samlResponse, function (err, profile) { - if (err) return done(err); - expect(profile).to.be.ok; - done(); - }); - }); - - it('should return profile when attribute namespaces are defined in saml response', function(done){ - var samlResponse = ` - https://oam-stg.putnam.com/oam/fed - - - - https://oam-stg.putnam.com/oam/fed - - - Xf6a3Y0xwjZf921nP20oOVZcOYQ=LtqqnXEEiEJoz3CTBbKB43TYo+nuSZqobcfum3a9m/hrrU+6TtIublnTXBHl/55cy0sjAkgC/c71jSmM0CJ0Ucp63MvLhxDgQGik0DEsrBq8RlGhCCxoe3J4zY49wfcvmQWW8yr0n8hnVqkM5et+uRN5va3ZJ3YvG0+Cb4Kc4MBBh1X6JPfaXt/pVSC5SSmU3QkjJBmJ07fhltILrleQoaLfg/8H1bwNx3WDO+1wrw4z40F2LWg/XnsmYK0MfBJ5QkpqHIJjSodmb9C/eKPB6dW4O6fwHKrZ2AR7f9BXNG3w2sQmTsX1swJgwew0jCo52r8mWaGo9CotU7WYRL0AtA== -MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo= - - Demo_User@putnam.com - - - - - - urn:auth0:fireglass:putnam - - - - - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - - - - - Demo_User@putnam.com - - - User - - - Demo - - - -`; - var options = { - - thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', - checkExpiration: false, - checkDestination: false, - checkRecipient: false, - realm: 'urn:auth0:fireglass:putnam' - }; - var samlp = new Samlp(options, new Saml(options)); - samlp.validateSamlResponse(samlResponse, function (err, profile) { - if (err) return done(err); - expect(profile).to.be.ok; - done(); - }); - }); - - it('should return profile for IBM saml response', function(done){ - var cert = fs.readFileSync(__dirname + '/test-auth0.cer'); - var samlResponse = ` -https://w3id.sso.ibm.com/auth/sps/samlidp/saml20 - - - nKIJagEhY0nwjWf2eTMUpy7B/O8=nQoLtflrSaVpV6FQEuORo/dzm+vN8qAU4djJOxEXHjszmrQY0TAvPNS76L/f/lmZMbvkfg5Z/pZBlLfrmsiBRqq7EKrHzJpGU39e2frOjY8MaH95dWh0SztH4rvN2cUozqOxFVHMfbKVJTltXgvV1adaiSjTiGiaADSoVT4P1ydyBIldNt7w8tyFYMX0LOkO31FF93XGEyYwRnYFW0XzLX4AnFk5jklkF4pgHlw/43pzRLJcW1F+kpLMba17cg7XAVzwbyc85GrLKW3ijdCWERW1TDm1jcwhCxFgGcFqP0YaLwIlg9Cg05A43WVEBp8VBRjq+k/s4Yus3KznzWlq7w== -MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=https://w3id.sso.ibm.com/auth/sps/samlidp/saml20 - - - UzUVS+6XRPhKUK7cw3diiofYSTg=uXXEjo8CjqdbDs2MEWooAbufv1hrC5BKXuoYuS/9Z1eqh1vZdgVogqz2yzz2YStzZolB55zL9EbHuHJ8jq8Fw6yDDm7igB2Q6pej08FTrkzBnt7485wKTcTUJdEH7tDJUR5ibm2ESWFTXih7FiAb5Bs9NBX+kK1MJBpKEPOrlqB/IJbwe0bQcQbS6OSfciRiP7Vrw37xB+2tm5Qlgsy7uJXpHaB+jErFT3EdyekaS+KgVmE6f989Ky8n9b+W1p1LbMQJz5+eUsaJVPqt6Sn8SDuKt+uwZWTMNtTJ4tZ5h3kuHAL9spthldfI7sUFAyRr4KI23YE+2lK62pf/vuexaQ== -MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=uuid6dd97435-0154-186a-971f-ee1c8efabddeurn:auth0:safarijv:IBM-Produrn:oasis:names:tc:SAML:2.0:ac:classes:Passwordcornel.popa@ro.ibm.comY9C4BM826`; - var options = { - cert: cert, - thumbprint: '5CA6E1202EAFC0A63A5B93A43572EB2376FED309', - checkExpiration: false, - checkDestination: false, - checkRecipient: false, - realm: 'urn:auth0:safarijv:IBM-Prod' - }; - var samlp = new Samlp(options, new Saml(options)); - samlp.validateSamlResponse(samlResponse, function (err, profile) { - if (err) return done(err); - expect(profile).to.be.ok; - done(); - }); - }); - }); - - describe('getSamlStatus', function(){ - before(function(){ - this.samlp = new Samlp({}); - }); - - it('should get result without subcode', function(){ - var samlpResponse = 'urn:fixture-testsome messagesome details'; - - var result = this.samlp.getSamlStatus(samlpResponse); - - expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); - expect(result.subCode).to.be.undefined; - expect(result.message).to.equal('some message'); - expect(result.detail).to.equal('some details'); - }); - - it('should get result with sucode', function(){ - var samlpResponse = 'urn:fixture-testsome messagesome details'; - - var result = this.samlp.getSamlStatus(samlpResponse); - expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); - expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); - expect(result.message).to.equal('some message'); - expect(result.detail).to.equal('some details'); - }); - - it('should get result without details', function(){ - var samlpResponse = 'urn:fixture-testsome message'; - - var result = this.samlp.getSamlStatus(samlpResponse); - expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); - expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); - expect(result.message).to.equal('some message'); - expect(result.detail).to.be.undefined; - }); - - it('should get result without message', function(){ - var samlpResponse = 'urn:fixture-test'; - - var result = this.samlp.getSamlStatus(samlpResponse); - expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); - expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); - expect(result.message).be.undefined; - expect(result.detail).be.undefined; - }); - - it('should get result with status code only', function(){ - var samlpResponse = 'urn:fixture-test'; - - var result = this.samlp.getSamlStatus(samlpResponse); - expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); - expect(result.subCode).be.undefined; - expect(result.message).be.undefined; - expect(result.detail).be.undefined; - }); - }); -}); - function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { request.get({ jar: request.jar(), @@ -1042,4 +593,4 @@ function doSamlpFlow(samlRequestUrl, callbackEndpoint, callback) { callback(null, { response: response, body: body }); }); }); -} \ No newline at end of file +} diff --git a/test/samlp.unit.tests.js b/test/samlp.unit.tests.js new file mode 100644 index 0000000..36c61cb --- /dev/null +++ b/test/samlp.unit.tests.js @@ -0,0 +1,222 @@ +var expect = require('chai').expect; +var request = require('request'); +var qs = require('querystring'); +var cheerio = require('cheerio'); +var xmldom = require('xmldom'); +var fs = require('fs'); +var zlib = require('zlib'); +var crypto = require('crypto'); +var utils = require('./utils'); +var server = require('./fixture/samlp-server'); +var Samlp = require('../lib/passport-wsfed-saml2/samlp'); + +describe('samlp (unit tests)', function () { + + describe('samlrequest with template', function() { + it('should use providername option', function(done) { + var samlp = new Samlp({ + identityProviderUrl: server.identityProviderUrl, + requestTemplate: '@@Issuer@@', + protocol: 'samlp', + providerName: 'Some name' + }); + samlp.getSamlRequestParams({}, function(err, params) { + expect(params).to.have.property('SAMLRequest'); + var SAMLRequest = params.SAMLRequest; + + zlib.inflateRaw(new Buffer(SAMLRequest, 'base64'), function (err, buffer) { + if (err) return done(err); + + var request = buffer.toString(); + var doc = new xmldom.DOMParser().parseFromString(request); + + expect(doc.documentElement.getAttribute('ProviderName')) + .to.equal('Some name'); + + done(); + }); + }); + }); + }); + + describe('extractAssertion', function () { + + var samlpResponse = 'urn:fixture-testurn:fixture-test12345678https://auth0-dev-ed.my.salesforce.com12345678jfoo@gmail.comJohn FooJohnFoourn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedYkV3DdlEa19Gb0eE3jTYTVPalV1kZ88fbIv4blO9T1Y=ZiINpNlahQlp1JbgFsamI1/pZ+zcPsZboESVayxBMtrUBYNC4IG2VBnqku7paDxJQ7624CvcNzAYWYCv/2/c67Bv6YhQwK1rb4DPEL6OvbI8FNkYAhTNNw5UhUTEMjnJ7AncV/svUTYyIOyktuCvQh3tR4teZJV+BM3IKj9vRQQbCRNSUVHJEe963ma5HcCyo+RhIKU1pm4+ycswOlY9F115roKB4RNRJLs7Z5fyzhbOoCUujR9MMKHHq+CWaYvh5SkjaH1wMorlPlJtq5dhTZtDRhj4HwxYpCG5b4NF2vp+Jpni4dDFKou0Lzk0k6ueCJGcNHfidfEB3RB20Hed2g==MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo='; + var samlpReponseWithEncryptedAssertion = ' https://adfs.fmi.ch/adfs/services/trust CN=fmi-test.auth0.com 17575331292066593326 PfbLmL7Eb2NL5lzxyuEuKolgDtHjAuVDV9AaDKp1UqxSKXPGQaF3FTFt7Gl7FRmEdfjMD4xyMII4c6itasV7/N1WIXVw6j9VpvBZ2WPH4lT2gHVXEnCSko+rlk0OfFQN/XFY1HZrPb0PeSYtbuR6Fe2KDLVYYSElrGyn9lbU/zgLB+cV3OiidMamymcTjBYxr3+wv8zhEl2jDYd/04wULeDydhNpA8KFzjy/DQwE4GwlOfuCCtZboai1OXA3++KEuwH2QrC5lRpmnpwV1OJj+ozWDmJrRLA/vpxakQfMzjBcMoBx5wy0dvDaXcjMZk2aaOUhydSC+vd5UYD3npVlog== AZX6tZLTBQJTsrbXGj1QaDf9ZnMigNI3ySiH7deoK0y0M9gkzC6+7tzie7IbavR9QkdLlB0NCnokPFYyxS/w3NsCT3qDk9o45f4LNVqBel1sVagG1rNFcjMsH17V0Phj5idh/acvIx8s22XDC44XXeo0/FT3ZC1HPBBwS+c4UAFI3OiYux61gzA4zg72iZoqs9Wt6ZpJdKn3QtrOCYGQmKrO6lKzgHLkHgB4Lk8Th24OqfeRWdau4j91z28gZ4teSlp9oARgXrrGjdFneXivTSTdDfMwKOmCr5eVfu5jUBCjeaL5DEU/mlpfUwvnQQVOq+rYimq4+Yp1eRXr69diRJ73Ne+7iL7CzqXDLoYuz+ZMdGE2hEU7L0nn1mnmPaGtbdtL92bj2dALNeshWJjjBw7Qem/GjJFEHKzsd1OfhMRuNlfpw6gFku3/+QcYac/FJYzxOIfEzKOQWL8GMLm96CZ0J2Par2yEM9oi4fDtRocjyAhX//JSgiB5HDS3kxDc4HNGSqOgmmXGi6vQR9+82fIlnRP7iO1xD6o61sKHBOMI22bMKouyx0XlKoNHPuPMQGmHfgbty66KFgqkLih5nLX3TzqNommle9ZwvcIvgZ2PWRmiLVtfW/Yc3584zp1CzF/VwqOXCalTkgEObuSXEODU4JpGVAViPCVyriVBu1kWmws/kpfaTUe+brI1m+hp+0tpjKVh+VoesXR+9iPMOHbX39Slmah6zcjU/UjQAN+rtF3SSBMrRd1Fc9VD2fevvD1YvPU9LUAo1BkS7e6ig0jcsX4TC+tdNR+wWiNPhYclIuo06Nd4Uk1f/WkdV1+cRDIobdVabiq6EXSbaJAzbCepCJcOn8dNr0301Os4SIi0EtEQO3wk/Sx7e2UVlmRofK8R3p8TupyO0skMhUzRmlFmsI7kFpKUfcmtshamt9JVN8qIQCowxPgRmy0T67swJgBFdRX5C34CXxNJvGw8Eld7TDoiuQa4FxN2T7ebjaAsBQGYxsBPaGQQFNFTptGNsC+2YDFKV82rftCSyoZiAg3wnz/qjcsB02TOIGtu2I9M/lspl+N4Cb8adludm+YnfK6yRIUFzx2Y7N3hh4WKwvfK8IJuckg+dKC3IOyW2L0dUTScUNB9nB/2jxYLXyiqyT+B+/83BVRBjitFw3F8web3i8iLmMFJswnbL3ONYzUbW7Gu67y+LSHo3yRIneVCJrj91ihvBUMvae7kgoQUVj4vYFMPsykJaFypb59OXe6CyE1bAOHcKnPLRC7tix+TeSgQhHMIqr7yPZXHEhX3FfduxsrrnN4QYIqJOYlirqTh0SdwpT7Y2W02iEdEDBNyJs7kKH4ArRUrSu8xFi/vaNMB896lRy+hMAxdtM131MRV+eY68rNhAb275a3cpsYONRJPym4CRegV48rr6yFHm1vhMoXo2eNBIoQHm4wUInxwhYw0yt/9WM2AU3UwIOdCTHwJQeLWgJu4PDA4O0Tmrm2bS4kFEM4ya3Y6KXhjVHyoxkHzi+PYVNzEKdobhxOP2+1n/5+/SU84+WqcsQxRtoXFloEr1GMSt9L1di4w9uuzYngM49P63CQBMQVi8hz4fPrkZzm/V3MwZ7aOIm9/JTr2IPeuJYE7LHh3VDB2uirFGfrooHncOKDQfAqgSrAF7ztSYgY3DDuBcBMQ3uS8rMqrH0Uwza1hF7p+7dfUZyzt7OF9zGBJmOWK2YLkCL+QiCxJMTG+til3AyHwRVmACdL6uNmBsd31Sr673YiFaPTZC2Q6wu48HYZQ0z5qJwOpBm5EHDuVDCwT/GqkTwQD5182f5jQKX5eWIa9gehuKWrTfOZc0DU93yfE1ZGXJq27RrAv4Lzfh59lRvasGL3PZ+rRLuALgKQ5vBgJXlgk1T/hHP9sB1BAG8OpwQoQOFlx4y8kZLzxQmtRBb9BaTzl43CYLhsXgPBsepRSL3RAyG123LgDRz56TU/b6v8Wuu/GzkC7Afr237HazCiRG/kpKqYAEEWKjHPVzKFnJpF1EiuaNxBncSMPc/zn5i80oS6aTT4yQ0yxyIxKBzRGipZewnn/u3qSLy2j/z6lW1vcWEk/hdjC1HQ9ya0JJDwUB5FF308S4oK1E4gTsu3uKkKiHTYQC7Hxp4XQogjujCzWH/HvW2FsA7Na1EAkIu0KpzikcNvZ5xEBbIlmGqdsC2/9ybuQMtoxxleKRT3ZBgpuQqcYDt/iQDUaS1LpWQXN+7pg1eRy/Dwzitfq1zMO1wCrFEnvGt9WCBKAvX4+s7A9YmDPhTfdpKTQRe2df4QjkvuAtMlM4DYV6JkKj0S7Z3sjPBCzqFF93HM3KvPocHokYa0s/SJVTVkRot+EE7emGoXU82i99jMpXCjsaujTrEGawFhvNX0QhsXoUP2qWAEquRGZ7eBEUhWwHSZhdKM4/HvMa8fYklhKZ4T47b+pCSkeny3ycajy/ClUDGiBLO+Q1IN0qyOWDVAPB/+EPKVct3Bx+WzV9f57fmXZ+wfXjBHYodIfX8tRbehZtLma2h+BNenjiiSWFERrUURV1l1osL+3kuEqwewc/8ys3fGhCWj0+C2hubOUgA0yCZH8KtuJVpYvR4vjnJ8C1g6QELsWgaKWXEw58kRXP/CFAVlhoklS40+HPq5SfjaDDcUOsc2qwzNp8+0ktk1ozFJx3k2fEirRoS7q2upVuN3sCLC4hduDPPMrmStgdUsLwzg1IK+aAWQgvVThmF449nVsDVZGcVeyoB81DuCI+BCKP+apJaPcjf0f083rxEbUNMnKv6GhWl/Mkyhhnafuqq80pMS6ehm27CZSk9Snh8HxI3QMH1cbIx/iHIGOA1kP6ulV4qdwKh/KXYnu/r6JkrSBWQp/21mnJ1yWLSgiJoM+zoWzBcV92Qffjj+2yLN3wdOSaxpPX2B2jU997m4MOr46ut8pHvE4bdTbVpxIhi9f2gzv36ElT5MDTXCiS5+svShCYVEoIipwEmJMs+l/HXwR7PtOvPytSwh+eSC1Z4bTdSPhdyiCMu37tAwlK0K6WbcUQfJE7cPMs+gKgAB6m4VenDV7SQwC+ARWxKACvtBU+QTGudUE7NUHsMugCBHjYB9bKtbakycEachQykDRDkkZ1PDL03ipM8d8Gb0Tm9dYwerBg7Nmw+jt69+VqCaFtpeOc+jp+e5bWEfg/HCHchsHGIQ72RKlHKLXmFwEJ7PmzOlbNGT0Usltq+9o9vHL89mfNK6n2xbneaYyKGFzu87j5+a7caSwJ7CTCFCnq6hctC5bi1tTqQM8tkBiv1lCTcy1kB1t7WX2RpkV99jfLPZPinTI4l+CtjJF3WYNSGgK+JJwzzflL1mobgdHVFGYyERBkx/FNq5aqGSkJA0dki2i3e0liQ8hsybtpe+uX9sybKCMy6MVEoMCzGJBV2g4N/OLCC+WsXPMbJ6SqyZlNKooRtJEuwZzJb2hlWx2298AxtNTcWA+u+gxibf6GZlGcujjf2+/uUrzXRw+hBQU0O/wD5pLvXwYIuxElo02gG1XQu1RLM1qrGg5ouEg7I5TmJzOIjIhhvuGEEoQjZMqA3byJCzj9a7LBJ5ddbmB8Xp9louyJbOuJghgt835r7PfPIqA+58UqNYWkFHYt+PjPc4+DPetjKi0SmvmtxVGjM5qsRCmiabBcY5nHQGNaGIsmg0VsaauBe78LjKLnJL2IR9wgNEEBadyuWHbNtd7wsf728+o6PQzEU8LJO5DK5QvxbX3QVyZTi17nkykvsU0nVqiYZ8Wyc65XgvDjOe18ECG9xeX6vd3pJ+15we9xNJmvRvWy/RCDSt0ul9hUJiHyXRjZGxkP0VD5bWM6MO3RcWmlHwaZRP/U+7sGY1nqhYp6iBfGgKeKlCIwQLeS/n815CVCxHkhW3Vf6dANBirojH96kvcpWLKq/DaVMlmPOkHy+14kMQtZTEqgHuo0Sm/nS5ddVVj1VcFkI+CqK45a5u6Mf/EB/TTOTWTY+iRbwD/grQ2uTRmUMs3G3Fww2xtu1N5jkqm62ooU8CSkr+zVuskX1qRlavV7Z+viDbL5XGiicKf32AYL/KZSLpthpD3Y5FIDuMMXn7xlXSnXDZxbWl9GF4DeMA0pgOlT0afRo+DyLLNv0ot51w8UCX200rPUeI/U/xPaBNOXFrAvlS6syp6nG3ldiJsJMFCwtxb7vO5tSKpQXUXJ2zOnYhQjO7Ofbyfprs65ZZRCvvDh/RaCcYm0MyFmdWlTgz7cd4dkDhv8SpvhnlPoWwoUi0d9s5gxqmPWUEtVbuEMCzewU1XTcJufSP17mmF6ciofj9t6tvY588Kc0cdGMshzcYnhM6vgHrFiZQoKxE781/SBXKeNG/o6NqQYq7st8t6mwaS5Hx+1eimMCT147dnHNmkjf4TKhLw603QX9gV94owtbc38eRB8UCmgs+37J7I92Ls8W7V9sV5em/JO4K7r3cuiLBfQxkljU+cLKcvpnM65/IAAhXo88Wka3pctkejNTyo3pNbwyikekCYQ+nViSzOjXskQWbcv1ZnzbSGzQJIA7dtgDvIdvQulAveK9VQe9zpPHHomSqBzQr8cwklgC2SJoK5VH0landsMyZR/Xq/jUObUEcvd9kp+MU/OvPz61NES5cqYxCgErEzbv4jxKY9/JohKfue3f+WuQ9pwpo9AbVLTWYFl9uYvg4xM66FWcdfpSh6phv9Q8xfxZjL+2+qC0j/lD9DKB1ztHavDgyRby14iIALJHGi1t3F5JrPSib2XJL38xqIDYCX4iHKUEwwtrb51jWIhc18pLu0QNa+2z9cTrf2zPRTS2LZFbBt9RUKXhaDHTIxEKtiYKIO0fwA2xFUPZaqNfQjyLHPPo1xaOSsepf8fqZplcbphNFCxbKJ7awgZmUl1uGZ4gVo6USSjEXBPTFjJnqV+AhF484petGC05kONnLKPIZ+EQWdRBnQ/yI1T2HY3uoj0QI6qzUFJPg9ujr3KoJvPdOw2Y26PV1J6n+0iEl0whnmD5YZkhetkShbGKILVrLwjkrssuBncUMiWNHPxq19gmGoUEyNs6jWvUSIbgUDa0lsBAOffLRZnVVp0/cVNT6ba7ZnGVWQGkW8Lh6kW/nscf7gKaWoV5RQsP4jAv3GhOO72U8Xvi3v7go21NmfARGq/gTe3XWgc+d3+A0UcHxyDGiUxnr84EHi97GzWA6qtpUWMoGFKNzna/IwAb0iJVBjgJV2vou3R0tvQsHrb6k3WIiUmpIgIkVbC82BzbU3MBKnnljmRpnoUBghkLpf6jjtmteepyezSpCrnzLU3JBJnoXnvoVpst3fA/ByxMUsVpWmS7dT1nQmfifXY056vi8IjeMG0oKVrZlKwZaV2EU0vIqkm/gSgko/h7PXKv/mXDz6hhcft2MWWhEZt5b+40dahinDBhzlRvKcCzMuolDlKMoO7bAjH434ZJQ0LYZX7VSvU5obosJQeZvSE98Gmh09ylYydK03FDSqnK0s3y3Dlo4UzdPhSzJUXk6qZwRaIyReUrHx+0yNgV6JG9gYfabT96dF0mGJdrA6Eitwziot1fEjsKziZ71T4+Kdpn385fjpK1ljQE1amAxYI8Rcs56hoqpmq2QWINQnDXUPpq+jjAf7XnCX/wP9iappXeA1cIN4pTqEOr9fjJsO38gRyxPcSl9ak85+HWyfKx66TloDW/OOHS+M8pX913u/rLKx9Bwe64QCXVY9wRV9aEQv2+RPe/i91lCU5ZqFZclpsq/qcHLlMAk3CNXR/mOHc1tlGT5u7Ds12yVy3RQTLd8kh9p5b4PCdnI87Mp4cPONhkZfZYTjNUd9e/mDxDwk20YjWytDRrxC+o/N8rqEte8+EAPVjB8SsUuN/tX3Wi9mEZloR+MRLfX9jO7903MDUGAL+JOPZRzsLvllNjInQ589OUZxtfXVSVmts++2lxZ8AWtxmjZcuxu3WfF1dZ5WxbInu611Fr1tU+sm0sFFiryN0m7XQgs= '; + + it('should returns assertion', function (done) { + var samlp = new Samlp({}); + samlp.extractAssertion(samlpResponse, function (err, assertion) { + if (err) { done(err); } + + var doc = new xmldom.DOMParser().parseFromString(assertion.toString()); + var attributes = doc.documentElement.getElementsByTagName('saml:Attribute'); + expect(attributes.length).to.equal(5); + expect(attributes[0].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'); + expect(attributes[0].firstChild.textContent).to.equal('12345678'); + expect(attributes[1].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'); + expect(attributes[1].firstChild.textContent).to.equal('jfoo@gmail.com'); + expect(attributes[2].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'); + expect(attributes[2].firstChild.textContent).to.equal('John Foo'); + expect(attributes[3].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'); + expect(attributes[3].firstChild.textContent).to.equal('John'); + expect(attributes[4].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'); + expect(attributes[4].firstChild.textContent).to.equal('Foo'); + done(); + }); + }); + + it('should throws error if EncryptedAssertion is present but options.encryptionKey was not specified', function (done) { + var samlp = new Samlp({}); + samlp.extractAssertion(samlpReponseWithEncryptedAssertion, function (err) { + expect(err.message).to.equal('Assertion is encrypted. Please set options.decryptionKey with your decryption private key.'); + done(); + }); + }); + + it('should returns decrypted assertion', function (done) { + var samlp = new Samlp({ + decryptionKey: fs.readFileSync(__dirname + '/test-decryption.key') + }); + + samlp.extractAssertion(samlpReponseWithEncryptedAssertion, function (err, assertion) { + if (err) { done(err); } + + var doc = new xmldom.DOMParser().parseFromString(assertion.toString()); + var attributes = doc.documentElement.getElementsByTagName('Attribute'); + expect(attributes.length).to.equal(8); + expect(attributes[0].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'); + expect(attributes[1].getAttribute('Name')).to.equal('urn:oid:0.9.2342.19200300.100.1.3'); + expect(attributes[2].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.4'); + expect(attributes[2].firstChild.textContent).to.equal('fmi.ch'); + expect(attributes[3].getAttribute('Name')).to.equal('urn:oid:2.16.756.1.2.5.1.1.5'); + expect(attributes[3].firstChild.textContent).to.equal('others'); + expect(attributes[4].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'); + expect(attributes[4].firstChild.textContent).to.equal('Pan'); + expect(attributes[5].getAttribute('Name')).to.equal('urn:oid:2.5.4.4'); + expect(attributes[5].firstChild.textContent).to.equal('Pan'); + expect(attributes[6].getAttribute('Name')).to.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'); + expect(attributes[6].firstChild.textContent).to.equal('Peter'); + expect(attributes[7].getAttribute('Name')).to.equal('urn:oid:2.5.4.42'); + expect(attributes[7].firstChild.textContent).to.equal('Peter'); + done(); + }); + }); + + }); + + describe('validateSamlResponse', function(){ + var samlpResponseWithStatusResponder = 'urn:fixture-test'; + var samlpResponseWithStatusResponderWithMessage = 'urn:fixture-testspecific error message'; + var samlpResponseWithStatusResponderAndAuthnFailed = 'urn:fixture-test'; + var samlpResponseWithStatusResponderAndAuthnFailedWithMessage = 'urn:fixture-testspecific error message'; + var samlpResponseWithStatusNotMappedStatus = 'urn:fixture-test'; + + it('shuold return error for AuthnFailed status with generic message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailed, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('The responding provider was unable to successfully authenticate the principal'); + done(); + }); + }); + + it('shuold return error for AuthnFailed status with specific message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusResponderAndAuthnFailedWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('specific error message'); + done(); + }); + }); + + it('should return error for Responder status with generic message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusResponder, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('The request could not be performed due to an error on the part of the SAML responder or SAML authority'); + done(); + }); + }); + + it('should return error for Responder status with specific message', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusResponderWithMessage, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('AuthenticationFailedError'); + expect(err.message).to.equal('specific error message'); + done(); + }); + }); + + it('should return \'saml response does not contain an Assertion element\' error', function(done){ + var samlp = new Samlp({ checkDestination: false }); + samlp.validateSamlResponse(samlpResponseWithStatusNotMappedStatus, function (err) { + expect(err).to.be.ok; + expect(err.name).to.equals('Error'); + expect(err.message).to.equal('saml response does not contain an Assertion element (Status: urn:oasis:names:tc:SAML:2.0:status:Success)'); + done(); + }); + }); + }); + + describe('getSamlStatus', function(){ + before(function(){ + this.samlp = new Samlp({}); + }); + + it('should get result without subcode', function(){ + var samlpResponse = 'urn:fixture-testsome messagesome details'; + + var result = this.samlp.getSamlStatus(samlpResponse); + + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.be.undefined; + expect(result.message).to.equal('some message'); + expect(result.detail).to.equal('some details'); + }); + + it('should get result with sucode', function(){ + var samlpResponse = 'urn:fixture-testsome messagesome details'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); + expect(result.message).to.equal('some message'); + expect(result.detail).to.equal('some details'); + }); + + it('should get result without details', function(){ + var samlpResponse = 'urn:fixture-testsome message'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); + expect(result.message).to.equal('some message'); + expect(result.detail).to.be.undefined; + }); + + it('should get result without message', function(){ + var samlpResponse = 'urn:fixture-test'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).to.equal('urn:oasis:names:tc:SAML:2.0:status:AuthNFailed'); + expect(result.message).be.undefined; + expect(result.detail).be.undefined; + }); + + it('should get result with status code only', function(){ + var samlpResponse = 'urn:fixture-test'; + + var result = this.samlp.getSamlStatus(samlpResponse); + expect(result.code).to.equal('urn:oasis:names:tc:SAML:2.0:status:Responder'); + expect(result.subCode).be.undefined; + expect(result.message).be.undefined; + expect(result.detail).be.undefined; + }); + }); +}); \ No newline at end of file