mocksaml/utils/request.ts

import { promisify } from 'util';
import xml2js from 'xml2js';
import { inflateRaw } from 'zlib';

const inflateRawAsync = promisify(inflateRaw);

// Parse XML
const parseXML = (xml: string): Promise<Record<string, any>> => {
  return new Promise((resolve, reject) => {
    xml2js.parseString(
      xml,
      {
        tagNameProcessors: [xml2js.processors.stripPrefix],
        strict: true,
      },
      (err: Error | null, result: any) => {
        if (err) {
          reject(err);
        }

        resolve(result);
      }
    );
  });
};

// Decode the base64 string
const decodeBase64 = async (string: string, isDeflated: boolean) => {
  return isDeflated
    ? (await inflateRawAsync(Buffer.from(string, 'base64'))).toString()
    : Buffer.from(string, 'base64').toString();
};

// Parse SAMLRequest attributes
const extractSAMLRequestAttributes = async (rawRequest: string, isPost = true) => {
  const result = await parseXML(rawRequest);

  const attributes = result['AuthnRequest']['$'];
  const issuer = result['AuthnRequest']['Issuer'];

  const publicKey = result['AuthnRequest']['Signature']
    ? result['AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]
    : null;

  if (!publicKey && isPost) {
    throw new Error('Missing signature');
  }

  return {
    id: attributes.ID,
    acsUrl: attributes.AssertionConsumerServiceURL,
    providerName: attributes.ProviderName,
    audience: issuer[0]['_'],
    publicKey,
  };
};

export { extractSAMLRequestAttributes, decodeBase64 };
Applied prettier 2022-02-22 06:14:12 +00:00			`import { promisify } from 'util';`
Code cleanup 2022-02-23 13:48:20 +00:00			`import xml2js from 'xml2js';`
Applied prettier 2022-02-22 06:14:12 +00:00			`import { inflateRaw } from 'zlib';`
cleanup util 2022-02-21 14:31:47 +00:00
parse SAML req 2022-02-22 05:35:42 +00:00			`const inflateRawAsync = promisify(inflateRaw);`
cleanup util 2022-02-21 14:31:47 +00:00
			`// Parse XML`
			`const parseXML = (xml: string): Promise<Record<string, any>> => {`
			`return new Promise((resolve, reject) => {`
strip prefix when parsing the request saml (#158) 2023-03-24 05:12:47 +00:00			`xml2js.parseString(`
			`xml,`
			`{`
			`tagNameProcessors: [xml2js.processors.stripPrefix],`
			`strict: true,`
			`},`
			`(err: Error \| null, result: any) => {`
			`if (err) {`
			`reject(err);`
			`}`

			`resolve(result);`
cleanup util 2022-02-21 14:31:47 +00:00			`}`
strip prefix when parsing the request saml (#158) 2023-03-24 05:12:47 +00:00			`);`
cleanup util 2022-02-21 14:31:47 +00:00			`});`
			`};`

Validate AuthnRequest signature (#11) * Validate AuthnRequest signature skelton * Code refactor: Move the base64decode to common method * wip * Add signature validation * Read the keys from config * Lock dep version Co-authored-by: Deepak Prabhakara <deepak@boxyhq.com> 2022-03-02 21:06:04 +00:00			`// Decode the base64 string`
			`const decodeBase64 = async (string: string, isDeflated: boolean) => {`
			`return isDeflated`
			`? (await inflateRawAsync(Buffer.from(string, 'base64'))).toString()`
			`: Buffer.from(string, 'base64').toString();`
			`};`

cleanup util 2022-02-21 14:31:47 +00:00			`// Parse SAMLRequest attributes`
bypass validation for GET request until we figure out how to exchange the public key with the SP (#159) 2023-03-24 23:01:42 +00:00			`const extractSAMLRequestAttributes = async (rawRequest: string, isPost = true) => {`
Validate AuthnRequest signature (#11) * Validate AuthnRequest signature skelton * Code refactor: Move the base64decode to common method * wip * Add signature validation * Read the keys from config * Lock dep version Co-authored-by: Deepak Prabhakara <deepak@boxyhq.com> 2022-03-02 21:06:04 +00:00			`const result = await parseXML(rawRequest);`
cleanup util 2022-02-21 14:31:47 +00:00
strip prefix when parsing the request saml (#158) 2023-03-24 05:12:47 +00:00			`const attributes = result['AuthnRequest']['$'];`
			`const issuer = result['AuthnRequest']['Issuer'];`
Validate AuthnRequest signature (#11) * Validate AuthnRequest signature skelton * Code refactor: Move the base64decode to common method * wip * Add signature validation * Read the keys from config * Lock dep version Co-authored-by: Deepak Prabhakara <deepak@boxyhq.com> 2022-03-02 21:06:04 +00:00
strip prefix when parsing the request saml (#158) 2023-03-24 05:12:47 +00:00			`const publicKey = result['AuthnRequest']['Signature']`
			`? result['AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]`
check for missing signature and throw appropriate error (#80) 2022-10-12 18:11:50 +00:00			`: null;`

bypass validation for GET request until we figure out how to exchange the public key with the SP (#159) 2023-03-24 23:01:42 +00:00			`if (!publicKey && isPost) {`
check for missing signature and throw appropriate error (#80) 2022-10-12 18:11:50 +00:00			`throw new Error('Missing signature');`
			`}`

cleanup util 2022-02-21 14:31:47 +00:00			`return {`
parse SAML req 2022-02-22 05:35:42 +00:00			`id: attributes.ID,`
			`acsUrl: attributes.AssertionConsumerServiceURL,`
			`providerName: attributes.ProviderName,`
Applied prettier 2022-02-22 06:14:12 +00:00			`audience: issuer[0]['_'],`
check for missing signature and throw appropriate error (#80) 2022-10-12 18:11:50 +00:00			`publicKey,`
cleanup util 2022-02-21 14:31:47 +00:00			`};`
			`};`

Switch to saml20 (#21) * Use boxyhq/saml20 * use sign from saml20 * cleaned up GetKeyInfo * cleaned up getPublicKeyPemFromCertificate * cleaned up node-forge * use hasValidSignature from saml20 * cleanup and update saml20 to the beta version * throw an error if signature is not valid * updated saml20 2022-04-26 17:02:12 +00:00			`export { extractSAMLRequestAttributes, decodeBase64 };`