UNPKG

@cresta-oss/samlify

Version:

High-level API for Single Sign On (SAML 2.0)

201 lines 9.12 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); /** * @file binding-redirect.ts * @author tngan * @desc Binding-level API, declare the functions using Redirect binding */ var utility_1 = require("./utility"); var libsaml_1 = require("./libsaml"); var url = require("url"); var urn_1 = require("./urn"); var binding = urn_1.wording.binding; var urlParams = urn_1.wording.urlParams; /** * @private * @desc Helper of generating URL param/value pair * @param {string} param key * @param {string} value value of key * @param {boolean} first determine whether the param is the starting one in order to add query header '?' * @return {string} */ function pvPair(param, value, first) { return (first === true ? '?' : '&') + param + '=' + value; } /** * @private * @desc Refractored part of URL generation for login/logout request * @param {string} type * @param {boolean} isSigned * @param {string} rawSamlRequest * @param {object} entitySetting * @return {string} */ function buildRedirectURL(opts) { var baseUrl = opts.baseUrl, type = opts.type, isSigned = opts.isSigned, context = opts.context, entitySetting = opts.entitySetting; var _a = opts.relayState, relayState = _a === void 0 ? '' : _a; var noParams = (url.parse(baseUrl).query || []).length === 0; var queryParam = libsaml_1.default.getQueryParamByType(type); // In general, this xmlstring is required to do deflate -> base64 -> urlencode var samlRequest = encodeURIComponent(utility_1.default.base64Encode(utility_1.default.deflateString(context))); if (relayState !== '') { relayState = pvPair(urlParams.relayState, encodeURIComponent(relayState)); } if (isSigned) { var sigAlg = pvPair(urlParams.sigAlg, encodeURIComponent(entitySetting.requestSignatureAlgorithm)); var octetString = samlRequest + relayState + sigAlg; return baseUrl + pvPair(queryParam, octetString, noParams) + pvPair(urlParams.signature, encodeURIComponent(libsaml_1.default.constructMessageSignature(queryParam + '=' + octetString, entitySetting.privateKey, entitySetting.privateKeyPass, undefined, entitySetting.requestSignatureAlgorithm))); } return baseUrl + pvPair(queryParam, samlRequest + relayState, noParams); } /** * @desc Redirect URL for login request * @param {object} entity object includes both idp and sp * @param {function} customTagReplacement used when developers have their own login response template * @return {string} redirect URL */ function loginRequestRedirectURL(entity, customTagReplacement) { var metadata = { idp: entity.idp.entityMeta, sp: entity.sp.entityMeta }; var spSetting = entity.sp.entitySetting; var id = ''; if (metadata && metadata.idp && metadata.sp) { var base = metadata.idp.getSingleSignOnService(binding.redirect); var rawSamlRequest = void 0; if (spSetting.loginRequestTemplate && customTagReplacement) { var info = customTagReplacement(spSetting.loginRequestTemplate); id = utility_1.get(info, 'id', null); rawSamlRequest = utility_1.get(info, 'context', null); } else { var nameIDFormat = spSetting.nameIDFormat; var selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat; id = spSetting.generateID(); rawSamlRequest = libsaml_1.default.replaceTagsByValue(libsaml_1.default.defaultLoginRequestTemplate.context, { ID: id, Destination: base, Issuer: metadata.sp.getEntityID(), IssueInstant: new Date().toISOString(), NameIDFormat: selectedNameIDFormat, AssertionConsumerServiceURL: metadata.sp.getAssertionConsumerService(binding.post), EntityID: metadata.sp.getEntityID(), AllowCreate: spSetting.allowCreate, }); } return { id: id, context: buildRedirectURL({ context: rawSamlRequest, type: urlParams.samlRequest, isSigned: metadata.sp.isAuthnRequestSigned(), entitySetting: spSetting, baseUrl: base, relayState: spSetting.relayState, }), }; } throw new Error('ERR_GENERATE_REDIRECT_LOGIN_REQUEST_MISSING_METADATA'); } /** * @desc Redirect URL for logout request * @param {object} user current logged user (e.g. req.user) * @param {object} entity object includes both idp and sp * @param {function} customTagReplacement used when developers have their own login response template * @return {string} redirect URL */ function logoutRequestRedirectURL(user, entity, relayState, customTagReplacement) { var metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta }; var initSetting = entity.init.entitySetting; var id = initSetting.generateID(); var nameIDFormat = initSetting.nameIDFormat; var selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat; if (metadata && metadata.init && metadata.target) { var base = metadata.target.getSingleLogoutService(binding.redirect); var rawSamlRequest = ''; var requiredTags = { ID: id, Destination: base, EntityID: metadata.init.getEntityID(), Issuer: metadata.init.getEntityID(), IssueInstant: new Date().toISOString(), NameIDFormat: selectedNameIDFormat, NameID: user.logoutNameID, SessionIndex: user.sessionIndex, }; if (initSetting.logoutRequestTemplate && customTagReplacement) { var info = customTagReplacement(initSetting.logoutRequestTemplate, requiredTags); id = utility_1.get(info, 'id', null); rawSamlRequest = utility_1.get(info, 'context', null); } else { rawSamlRequest = libsaml_1.default.replaceTagsByValue(libsaml_1.default.defaultLogoutRequestTemplate.context, requiredTags); } return { id: id, context: buildRedirectURL({ context: rawSamlRequest, relayState: relayState, type: urlParams.logoutRequest, isSigned: entity.target.entitySetting.wantLogoutRequestSigned, entitySetting: initSetting, baseUrl: base, }), }; } throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_REQUEST_MISSING_METADATA'); } /** * @desc Redirect URL for logout response * @param {object} requescorresponding request, used to obtain the id * @param {object} entity object includes both idp and sp * @param {function} customTagReplacement used when developers have their own login response template */ function logoutResponseRedirectURL(requestInfo, entity, relayState, customTagReplacement) { var metadata = { init: entity.init.entityMeta, target: entity.target.entityMeta, }; var initSetting = entity.init.entitySetting; var id = initSetting.generateID(); if (metadata && metadata.init && metadata.target) { var base = metadata.target.getSingleLogoutService(binding.redirect); var rawSamlResponse = void 0; if (initSetting.logoutResponseTemplate && customTagReplacement) { var template = customTagReplacement(initSetting.logoutResponseTemplate); id = utility_1.get(template, 'id', null); rawSamlResponse = utility_1.get(template, 'context', null); } else { var tvalue = { ID: id, Destination: base, Issuer: metadata.init.getEntityID(), EntityID: metadata.init.getEntityID(), IssueInstant: new Date().toISOString(), StatusCode: urn_1.namespace.statusCode.success, }; if (requestInfo && requestInfo.extract && requestInfo.extract.logoutRequest) { tvalue.InResponseTo = requestInfo.extract.logoutRequest.id; } rawSamlResponse = libsaml_1.default.replaceTagsByValue(libsaml_1.default.defaultLogoutResponseTemplate.context, tvalue); } return { id: id, context: buildRedirectURL({ baseUrl: base, type: urlParams.logoutResponse, isSigned: entity.target.entitySetting.wantLogoutResponseSigned, context: rawSamlResponse, entitySetting: initSetting, relayState: relayState, }), }; } throw new Error('ERR_GENERATE_REDIRECT_LOGOUT_RESPONSE_MISSING_METADATA'); } var redirectBinding = { loginRequestRedirectURL: loginRequestRedirectURL, logoutRequestRedirectURL: logoutRequestRedirectURL, logoutResponseRedirectURL: logoutResponseRedirectURL, }; exports.default = redirectBinding; //# sourceMappingURL=binding-redirect.js.map