Merge pull request #16 from auth0/name-format-and-type

Added nameformat and type for attributes

Author: ziluvatar

lib/saml20.js

@@ -3,7 +3,9 @@ var utils = require('./utils'),
     Parser = require('xmldom').DOMParser,
     SignedXml = require('xml-crypto').SignedXml,
     xmlenc = require('xml-encryption'),
-    moment = require('moment');
+    moment = require('moment'),
+    xmlNameValidator = require('xml-name-validator'),
+    is_uri = require('valid-url').is_uri;
 
 var fs = require('fs');
 var path = require('path');
@@ -22,6 +24,37 @@ var algorithms = {
   }
 };
 
+function getAttributeType(value){
+  switch(typeof value) {
+    case "string":
+      return 'xs:string';
+    case "boolean":
+      return 'xs:boolean';
+    case "number":
+      // Maybe we should fine-grain this type and check whether it is an integer, float, double xsi:types
+      return 'xs:double';
+    default:
+      return 'xs:anyType';
+  }
+}
+
+function getNameFormat(name){
+  if (is_uri(name)){
+    return 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri';
+  }
+
+  //  Check that the name is a valid xs:Name -> https://www.w3.org/TR/xmlschema-2/#Name
+  //  xmlNameValidate.name takes a string and will return an object of the form { success, error }, 
+  //  where success is a boolean 
+  //  if it is false, then error is a string containing some hint as to where the match went wrong.
+  if (xmlNameValidator.name(name).success){
+    return 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic';
+  }
+
+  // Default value
+  return 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified';
+}
+
 exports.create = function(options, callback) {
   if (!options.key)
     throw new Error('Expect a private key in pem format');
@@ -32,6 +65,10 @@ exports.create = function(options, callback) {
   options.signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256';
   options.digestAlgorithm = options.digestAlgorithm || 'sha256';
 
+  options.includeAttributeNameFormat = (typeof options.includeAttributeNameFormat !== 'undefined') ? options.includeAttributeNameFormat : true;
+  options.typedAttributes = (typeof options.typedAttributes !== 'undefined') ? options.typedAttributes : true;
+
+
   var cert = utils.pemToCert(options.cert);
 
   var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[options.signatureAlgorithm], idAttribute: 'ID' });
@@ -97,15 +134,24 @@ exports.create = function(options, callback) {
       // </saml:Attribute>
       var attributeElement = doc.createElementNS(NAMESPACE, 'saml:Attribute');
       attributeElement.setAttribute('Name', prop);
+
+      if (options.includeAttributeNameFormat){
+        attributeElement.setAttribute('NameFormat', getNameFormat(prop));        
+      }
+
       var values = options.attributes[prop] instanceof Array ? options.attributes[prop] : [options.attributes[prop]];
       values.forEach(function (value) {
-        var valueElement = doc.createElementNS(NAMESPACE, 'saml:AttributeValue');
-        valueElement.setAttribute('xsi:type', 'xs:anyType');
-        valueElement.textContent = value;
-        attributeElement.appendChild(valueElement);
+        // Check by type, becase we want to include false values
+        if (typeof value !== 'undefined') {
+          // Ignore undefined values in Array
+          var valueElement = doc.createElementNS(NAMESPACE, 'saml:AttributeValue');
+          valueElement.setAttribute('xsi:type', options.typedAttributes ? getAttributeType(value) : 'xs:anyType');
+          valueElement.textContent = value;
+          attributeElement.appendChild(valueElement);
+        }
       });
 
-      if (values && values.length > 0) {
+      if (values && values.filter(function(i){ return typeof i !== 'undefined'; }).length > 0) {
         // saml:Attribute must have at least one saml:AttributeValue
         statement.appendChild(attributeElement);
       }

package.json

@@ -16,8 +16,10 @@
   "dependencies": {
     "async": "~0.2.9",
     "moment": "~2.14.1",
+    "valid-url": "~1.0.9",
     "xml-crypto": "0.8.4",
     "xml-encryption": "~0.7.4",
+    "xml-name-validator": "~2.0.1",
     "xmldom": "=0.1.15",
     "xpath": "0.0.5"
   },

test/saml20.tests.js

@@ -84,6 +84,213 @@ describe('saml 2.0', function () {
     assert.equal('fóo', attributes[2].textContent);
   });
 
+  it('should set attributes with the correct attribute type', function () {
+    var options = {
+      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+      key: fs.readFileSync(__dirname + '/test-auth0.key'),
+      attributes: {
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
+        'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
+        'http://example.org/claims/testaccent': 'fóo', // should supports accents
+        'http://attributes/boolean': true, 
+        'http://attributes/booleanNegative': false, 
+        'http://attributes/number': 123, 
+        'http://undefinedattribute/ws/com.com': undefined
+      }
+    };
+
+    var signedAssertion = saml.create(options);
+    
+    var isValid = utils.isValidSignature(signedAssertion, options.cert);
+    assert.equal(true, isValid);
+
+    var attributes = utils.getAttributes(signedAssertion);
+    assert.equal(6, attributes.length);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
+    assert.equal('[email protected]', attributes[0].textContent);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
+    assert.equal('Foo Bar', attributes[1].textContent);
+    assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
+    assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
+    assert.equal('fóo', attributes[2].textContent);
+    assert.equal('http://attributes/boolean', attributes[3].getAttribute('Name'));
+    assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
+    assert.equal('true', attributes[3].textContent);
+    assert.equal('http://attributes/booleanNegative', attributes[4].getAttribute('Name'));
+    assert.equal('xs:boolean', attributes[4].firstChild.getAttribute('xsi:type'));
+    assert.equal('false', attributes[4].textContent);
+    assert.equal('http://attributes/number', attributes[5].getAttribute('Name'));
+    assert.equal('xs:double', attributes[5].firstChild.getAttribute('xsi:type'));
+    assert.equal('123', attributes[5].textContent);
+  });
+
+  it('should set attributes with the correct attribute type and NameFormat', function () {
+    var options = {
+      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+      key: fs.readFileSync(__dirname + '/test-auth0.key'),
+      attributes: {
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
+        'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
+        'testaccent': 'fóo', // should supports accents
+        'urn:test:1:2:3': true,
+        '123~oo': 123, 
+        'http://undefinedattribute/ws/com.com': undefined
+      }
+    };
+
+    var signedAssertion = saml.create(options);
+    
+    var isValid = utils.isValidSignature(signedAssertion, options.cert);
+    assert.equal(true, isValid);
+
+    var attributes = utils.getAttributes(signedAssertion);
+    assert.equal(5, attributes.length);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[0].getAttribute('NameFormat'));    
+    assert.equal('[email protected]', attributes[0].textContent);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[1].getAttribute('NameFormat'));    
+    assert.equal('Foo Bar', attributes[1].textContent);
+    assert.equal('testaccent', attributes[2].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', attributes[2].getAttribute('NameFormat'));    
+    assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
+    assert.equal('fóo', attributes[2].textContent);
+    assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[3].getAttribute('NameFormat'));
+    assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
+    assert.equal('true', attributes[3].textContent);
+    assert.equal('123~oo', attributes[4].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', attributes[4].getAttribute('NameFormat'));    
+    assert.equal('xs:double', attributes[4].firstChild.getAttribute('xsi:type'));
+    assert.equal('123', attributes[4].textContent);
+  });
+
+  it('should set attributes to anytpe when typedAttributes is false', function () {
+    var options = {
+      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+      key: fs.readFileSync(__dirname + '/test-auth0.key'),
+      typedAttributes: false,
+      attributes: {
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
+        'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
+        'http://example.org/claims/testaccent': 'fóo', // should supports accents
+        'http://attributes/boolean': true, 
+        'http://attributes/number': 123, 
+        'http://undefinedattribute/ws/com.com': undefined
+      }
+    };
+
+    var signedAssertion = saml.create(options);
+    
+    var isValid = utils.isValidSignature(signedAssertion, options.cert);
+    assert.equal(true, isValid);
+
+    var attributes = utils.getAttributes(signedAssertion);
+    assert.equal(5, attributes.length);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
+    assert.equal('[email protected]', attributes[0].textContent);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
+    assert.equal('Foo Bar', attributes[1].textContent);
+    assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
+    assert.equal('xs:anyType', attributes[2].firstChild.getAttribute('xsi:type'));
+    assert.equal('fóo', attributes[2].textContent);
+    assert.equal('http://attributes/boolean', attributes[3].getAttribute('Name'));
+    assert.equal('xs:anyType', attributes[3].firstChild.getAttribute('xsi:type'));
+    assert.equal('true', attributes[3].textContent);
+    assert.equal('http://attributes/number', attributes[4].getAttribute('Name'));
+    assert.equal('xs:anyType', attributes[4].firstChild.getAttribute('xsi:type'));
+    assert.equal('123', attributes[4].textContent);
+  });
+
+  it('should not set NameFormat in attributes when includeAttributeNameFormat is false', function () {
+    var options = {
+      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+      key: fs.readFileSync(__dirname + '/test-auth0.key'),
+      typedAttributes: false,
+      includeAttributeNameFormat: false,
+      attributes: {
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
+        'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
+        'testaccent': 'fóo', // should supports accents
+        'urn:test:1:2:3': true,
+        '123~oo': 123, 
+        'http://undefinedattribute/ws/com.com': undefined
+      }
+    };
+
+    var signedAssertion = saml.create(options);
+    
+    var isValid = utils.isValidSignature(signedAssertion, options.cert);
+    assert.equal(true, isValid);
+
+    var attributes = utils.getAttributes(signedAssertion);
+    assert.equal(5, attributes.length);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
+    assert.equal('', attributes[0].getAttribute('NameFormat'));    
+    assert.equal('[email protected]', attributes[0].textContent);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
+    assert.equal('', attributes[1].getAttribute('NameFormat'));    
+    assert.equal('Foo Bar', attributes[1].textContent);
+    assert.equal('testaccent', attributes[2].getAttribute('Name'));
+    assert.equal('', attributes[2].getAttribute('NameFormat'));    
+    assert.equal('fóo', attributes[2].textContent);
+    assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
+    assert.equal('', attributes[3].getAttribute('NameFormat'));
+    assert.equal('true', attributes[3].textContent);
+    assert.equal('123~oo', attributes[4].getAttribute('Name'));
+    assert.equal('', attributes[4].getAttribute('NameFormat'));    
+    assert.equal('123', attributes[4].textContent);
+  });
+
+  it('should ignore undefined attributes in array', function () {
+    var options = {
+      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+      key: fs.readFileSync(__dirname + '/test-auth0.key'),
+      attributes: {
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
+        'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
+        'arrayAttribute': [ 'foo', undefined, 'bar'],
+        'urn:test:1:2:3': true,
+        '123~oo': 123, 
+        'http://undefinedattribute/ws/com.com': undefined
+      }
+    };
+
+    var signedAssertion = saml.create(options);
+    
+    var isValid = utils.isValidSignature(signedAssertion, options.cert);
+    assert.equal(true, isValid);
+
+    var attributes = utils.getAttributes(signedAssertion);
+    assert.equal(5, attributes.length);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[0].getAttribute('NameFormat'));    
+    assert.equal('[email protected]', attributes[0].textContent);
+    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[1].getAttribute('NameFormat'));    
+    assert.equal('Foo Bar', attributes[1].textContent);
+    assert.equal('arrayAttribute', attributes[2].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', attributes[2].getAttribute('NameFormat'));    
+    assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
+    assert.equal(2, attributes[2].childNodes.length);
+    assert.equal('foo', attributes[2].childNodes[0].textContent);
+    // undefined should not be here
+    assert.equal('bar', attributes[2].childNodes[1].textContent);
+    assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[3].getAttribute('NameFormat'));
+    assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
+    assert.equal('true', attributes[3].textContent);
+    assert.equal('123~oo', attributes[4].getAttribute('Name'));
+    assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', attributes[4].getAttribute('NameFormat'));    
+    assert.equal('xs:double', attributes[4].firstChild.getAttribute('xsi:type'));
+    assert.equal('123', attributes[4].textContent);
+  });
+
   it('whole thing with specific authnContextClassRef', function () {
     var options = {
       cert: fs.readFileSync(__dirname + '/test-auth0.pem'),