Add new config value for own public cert and fix kombit strategy values (#289)

Author: fcv-iteratorIt

src/auth/kombit.strategy.ts

@@ -14,29 +14,36 @@ export class KombitStrategy extends PassportStrategy(SamlStrategy, "kombit") {
   constructor(private readonly authService: AuthService) {
     super(
       {
-        issuer: `${configuration()["backend"]["baseurl"]}/api/v1/auth/kombit/metadata`,
         callbackUrl: `${configuration()["backend"]["baseurl"]}/api/v1/auth/kombit/login/callback`,
-        publicCert: configuration()["kombit"]["certificatePublicKey"],
-        idpCert: configuration()["kombit"]["certificatePublicKey"],
-        audience: `${configuration()["backend"]["baseurl"]}/api/v1/auth/kombit/metadata`,
-        logoutCallbackUrl: `${configuration()["backend"]["baseurl"]}/api/v1/auth/kombit/logout/callback`,
-        logoutUrl: configuration()["kombit"]["entryPoint"],
         entryPoint: configuration()["kombit"]["entryPoint"],
-        identifierFormat: "",
+        issuer: `${configuration()["backend"]["baseurl"]}/api/v1/auth/kombit/metadata`,
+        audience: `${configuration()["backend"]["baseurl"]}/api/v1/auth/kombit/metadata`,
+        idpCert: configuration()["kombit"]["certificatePublicKey"],
+        privateKey: configuration()["kombit"]["certificatePrivateKey"],
+        publicCert: configuration()["kombit"]["certificateOwnPublicKey"],
         decryptionPvk: configuration()["kombit"]["certificatePrivateKey"],
         signatureAlgorithm: "sha256",
+        logoutCallbackUrl: `${configuration()["backend"]["baseurl"]}/api/v1/auth/kombit/logout/callback`,
+        logoutUrl: configuration()["kombit"]["entryPoint"],
+        acceptedClockSkewMs: 1000, // Allow some slack in clock sync
         disableRequestedAuthnContext: true,
+        wantAuthnResponseSigned: false,
+        identifierFormat: "",
         authnRequestBinding: "HTTP-Redirect",
-        acceptedClockSkewMs: 1000, // Allow some slack in clock sync
       },
-      (req, profile, done) => {
+      function (profile: Profile, done: Function) {
         return this.validate(profile, done);
       }
     );
   }
 
   // eslint-disable-next-line @typescript-eslint/ban-types
-  async validate(profile: Profile, done: Function): Promise<UserResponseDto> {
+  public async validate(profile: Profile, done: Function): Promise<UserResponseDto> {
+    this.logger.log("Profile", profile);
+    const samlResponse = profile.getSamlResponseXml();
+    this.logger.log("SAML Response", samlResponse);
+    this.logger.log("AssertionXML", profile.getAssertionXml());
+
     try {
       const exists = await this.authService.validateKombitUser(profile);
       done(null, exists);

src/config/configuration.ts

@@ -24,8 +24,9 @@ export default (): any => {
       entryPoint:
         process.env.KOMBIT_ENTRYPOINT ||
         "https://adgangsstyring.eksterntest-stoettesystemerne.dk/runtime/saml2/issue.idp",
-      certificatePublicKey: process.env.KOMBIT_CERTIFICATEPUBLICKEY || "INSERT_KOMBIT_CERT", // Public certificate from Kombit Test server
+      certificatePublicKey: process.env.KOMBIT_CERTIFICATEPUBLICKEY || "INSERT_KOMBIT_CERT", // Public certificate from Kombit server
       certificatePrivateKey: process.env.KOMBIT_CERTIFICATEPRIVATEKEY || "",
+      certificateOwnPublicKey: process.env.KOMBIT_CERTIFICATEOWNPUBLICKEY || "",
       roleUri: process.env.KOMBIT_ROLE_NAME || "http://os2iot.dk/roles/usersystemrole/adgang/",
     },
     chirpstack: {

src/services/user-management/auth.service.ts

@@ -8,7 +8,7 @@ import { ErrorCodes } from "@entities/enum/error-codes.enum";
 import { Injectable, Logger, UnauthorizedException } from "@nestjs/common";
 import { JwtService } from "@nestjs/jwt";
 import { compare } from "bcryptjs";
-import { Profile } from "@node-saml/node-saml";
+import { Profile } from "@node-saml/passport-saml";
 import * as xml2js from "xml2js";
 import { ApiKeyService } from "../api-key-management/api-key.service";
 import { UserService } from "./user.service";

src/services/user-management/user.service.ts

@@ -22,7 +22,7 @@ import { isPermissionType } from "@helpers/security-helper";
 import { nameof } from "@helpers/type-helper";
 import { OS2IoTMail } from "@services/os2iot-mail.service";
 import { AuthenticatedRequest } from "@dto/internal/authenticated-request";
-import { Profile } from "@node-saml/node-saml";
+import { Profile } from "@node-saml/passport-saml";
 
 @Injectable()
 export class UserService {