Merge pull request #66 from luuuis/allow-unsigned-assertions

feat: adds createUnsignedAssertion()

Author: luuuis

.gitignore

@@ -1,2 +1,3 @@
 node_modules
-.DS_Store
+.DS_Store
+package-lock.json

README.md

@@ -1,13 +1,13 @@
-Create SAML assertions.
+# node-saml
 
-NOTE: currently supports SAML 1.1 tokens
+Create SAML assertions. Supports SAML 1.1 and SAML 2.0 tokens.
 
 [![Build Status](https://travis-ci.org/auth0/node-saml.png)](https://travis-ci.org/auth0/node-saml)
 
 ### Usage
 
 ```js
-var saml11 = require('saml').Saml11;
+var saml = require('saml').Saml20; // or Saml11
 
 var options = {
   cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
@@ -23,7 +23,7 @@ var options = {
   sessionIndex: '_faed468a-15a0-4668-aed6-3d9c478cc8fa'
 };
 
-var signedAssertion = saml11.create(options);
+var signedAssertion = saml.create(options);
 ```
 
 Everything except the cert and key is optional.

commitlint.config.js

@@ -0,0 +1 @@
+module.exports = { extends: ['@commitlint/config-conventional'] };

lib/saml11.js

@@ -1,57 +1,109 @@
+var path = require('path');
+var utils = require('./utils');
+var Parser = require('xmldom').DOMParser;
+var xmlenc = require('xml-encryption');
+var moment = require('moment');
+var async = require('async');
+var crypto = require('crypto');
 
-var utils = require('./utils'),
-    Parser = require('xmldom').DOMParser,
-    SignedXml = require('xml-crypto').SignedXml,
-    xmlenc = require('xml-encryption'),
-    moment = require('moment');
-    async = require('async');
-    crypto = require('crypto');
+var EncryptXml = require('./xml/encrypt');
+var SignXml = require('./xml/sign');
 
-var fs = require('fs');
-var path = require('path');
-var saml11 = fs.readFileSync(path.join(__dirname, 'saml11.template')).toString();
+var newSaml11Document = utils.factoryForNode(path.join(__dirname, 'saml11.template'));
 
 var NAMESPACE = 'urn:oasis:names:tc:SAML:1.0:assertion';
 
-var algorithms = {
-  signature: {
-    'rsa-sha256': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
-    'rsa-sha1':  'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
-  },
-  digest: {
-    'sha256': 'http://www.w3.org/2001/04/xmlenc#sha256',
-    'sha1': 'http://www.w3.org/2000/09/xmldsig#sha1'
-  }
-};
+function extractSaml11Options(opts) {
+  return {
+    uid: opts.uid,
+    issuer: opts.issuer,
+    lifetimeInSeconds: opts.lifetimeInSeconds,
+    audiences: opts.audiences,
+    attributes: opts.attributes,
+    nameIdentifier: opts.nameIdentifier,
+    nameIdentifierFormat: opts.nameIdentifierFormat,
+    subjectConfirmationMethod: opts.subjectConfirmationMethod,
+    holderOfKeyProofSecret: opts.holderOfKeyProofSecret
+  };
+}
 
+/**
+ * Creates a signed SAML 1.1 assertion from the given options.
+ *
+ * @param options
+ *
+ * // SAML
+ * @param [options.uid] {string}
+ * @param [options.issuer] {string}
+ * @param [options.lifetimeInSeconds] {number}
+ * @param [options.audiences] {string|string[]}
+ * @param [options.attributes]
+ * @param [options.nameIdentifier] {string}
+ * @param [options.nameIdentifierFormat] {string}
+ *
+ * // XML Dsig
+ * @param options.key {Buffer}
+ * @param options.cert {Buffer}
+ * @param [options.signatureAlgorithm] {string}
+ * @param [options.digestAlgorithm] {string}
+ * @param [options.signatureNamespacePrefix] {string}
+ * @param [options.xpathToNodeBeforeSignature] {string}
+ * @param [options.subjectConfirmationMethod] {string}
+ * @param [options.holderOfKeyProofSecret] {Buffer}
+ *
+ * // XML encryption
+ * @param [options.encryptionCert] {Buffer}
+ * @param [options.encryptionPublicKey] {Buffer}
+ * @param [options.encryptionAlgorithm] {string}
+ * @param [options.keyEncryptionAlgorighm] {string}
+ *
+ * @param {Function} [callback] required if encrypting
+ * @return {String|*}
+ */
 exports.create = function(options, callback) {
-  if (!options.key)
-    throw new Error('Expect a private key in pem format');
-
-  if (!options.cert)
-    throw new Error('Expect a public key cert in pem format');
-
-  options.signatureAlgorithm = options.signatureAlgorithm || 'rsa-sha256';
-  options.digestAlgorithm = options.digestAlgorithm || 'sha256';
-
-  var cert = utils.pemToCert(options.cert);
-
-  var sig = new SignedXml(null, { signatureAlgorithm: algorithms.signature[options.signatureAlgorithm], idAttribute: 'AssertionID' });
-  sig.addReference("//*[local-name(.)='Assertion']",
-                  ["http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2001/10/xml-exc-c14n#"],
-                  algorithms.digest[options.digestAlgorithm]);
+  return createAssertion(extractSaml11Options(options), {
+    signXml: SignXml.fromSignXmlOptions(Object.assign({
+      xpathToNodeBeforeSignature: "//*[local-name(.)='AuthenticationStatement']",
+      signatureIdAttribute: 'AssertionID'
+    }, options)),
+    encryptXml: EncryptXml.fromEncryptXmlOptions(options)
+  }, callback);
+}
 
-  sig.signingKey = options.key;
-  
-  sig.keyInfoProvider = {
-    getKeyInfo: function () {
-      return "<X509Data><X509Certificate>" + cert + "</X509Certificate></X509Data>";
-    }
-  };
+/**
+ * Creates an **unsigned** SAML 1.1 assertion from the given options.
+ *
+ * @param options
+ *
+ * // SAML
+ * @param [options.uid] {string}
+ * @param [options.issuer] {string}
+ * @param [options.lifetimeInSeconds] {number}
+ * @param [options.audiences] {string|string[]}
+ * @param [options.attributes]
+ * @param [options.nameIdentifier] {string}
+ * @param [options.nameIdentifierFormat] {string}
+ *
+ * // XML encryption
+ * @param [options.encryptionCert] {Buffer}
+ * @param [options.encryptionPublicKey] {Buffer}
+ * @param [options.encryptionAlgorithm] {string}
+ * @param [options.keyEncryptionAlgorighm] {string}
+ *
+ * @param {Function} [callback] required if encrypting
+ * @return {String|*}
+ */
+exports.createUnsignedAssertion = function(options, callback) {
+  return createAssertion(extractSaml11Options(options), {
+    signXml: SignXml.unsigned,
+    encryptXml: EncryptXml.fromEncryptXmlOptions(options)
+  }, callback);
+}
 
+function createAssertion(options, strategies, callback) {
   var doc;
   try {
-    doc = new Parser().parseFromString(saml11.toString());
+    doc = newSaml11Document();
   } catch(err){
     return utils.reportError(err, callback);
   }
@@ -125,42 +177,38 @@ exports.create = function(options, callback) {
     nameIDs[1].setAttribute('Format', options.nameIdentifierFormat);
   }
 
-  if (!options.encryptionCert) return sign(options, sig, doc, callback);
+  if (strategies.encryptXml === EncryptXml.unencrypted) {
+    var signed = strategies.signXml(doc);
+    return strategies.encryptXml(signed, callback);
+  }
 
-  // encryption is turned on, 
+  // encryption is turned on,
   var proofSecret;
   async.waterfall([
-    function(cb) {
-      if (!options.subjectConfirmationMethod && options.subjectConfirmationMethod !== 'holder-of-key') 
+    function (cb) {
+      if (!options.subjectConfirmationMethod && options.subjectConfirmationMethod !== 'holder-of-key')
         return cb();
-      
+
       crypto.randomBytes(32, function(err, randomBytes) {
         proofSecret = randomBytes;
-        addSubjectConfirmation(options, doc, options.holderOfKeyProofSecret || randomBytes, cb);
+        addSubjectConfirmation(strategies.encryptXml.encryptOptions, doc, options.holderOfKeyProofSecret || randomBytes, cb);
       });
-      
     },
     function(cb) {
-      sign(options, sig, doc, function(err, signed) {
-        if (err) return cb(err);
-        return encrypt(options, signed, cb);
-      });
+      strategies.signXml(doc, cb);
+    },
+    function(signed, cb) {
+      strategies.encryptXml(signed, cb);
     }
-  ], function(err, result) {
+  ], function (err, result) {
     if (err) return callback(err);
     callback(null, result, proofSecret);
   });
-}; 
-
-function addSubjectConfirmation(options, doc, randomBytes, callback) {
-  var encryptOptions = {
-    rsa_pub: options.encryptionPublicKey,
-    pem: options.encryptionCert,
-    keyEncryptionAlgorighm: options.keyEncryptionAlgorighm || 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
-  };
+}
 
-  xmlenc.encryptKeyInfo(randomBytes, encryptOptions, function(err, keyinfo) { 
-    if (err) return cb(err);
+function addSubjectConfirmation(encryptOptions, doc, randomBytes, callback) {
+  xmlenc.encryptKeyInfo(randomBytes, encryptOptions, function(err, keyinfo) {
+    if (err) return callback(err);
     var subjectConfirmationNodes = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'SubjectConfirmation');
 
     for (var i=0; i<subjectConfirmationNodes.length; i++) {
@@ -179,40 +227,3 @@ function addSubjectConfirmation(options, doc, randomBytes, callback) {
     callback();
   });
 }
-
-function sign(options, sig, doc, callback) {
-  var token = utils.removeWhitespace(doc.toString());
-  var signed;
-
-  try {
-    var opts = options.xpathToNodeBeforeSignature ? { 
-      location: { 
-        reference: options.xpathToNodeBeforeSignature, 
-        action: 'after'
-      }
-    } : {};
-
-    sig.computeSignature(token, opts);
-    signed = sig.getSignedXml();
-  } catch(err){
-    return utils.reportError(err, callback);
-  }
-
-  if (!callback) return signed;
-
-  return callback(null, signed);
-}
-
-function encrypt(options, signed, callback) {
-  var encryptOptions = {
-    rsa_pub: options.encryptionPublicKey,
-    pem: options.encryptionCert,
-    encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
-    keyEncryptionAlgorighm: options.keyEncryptionAlgorighm || 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
-  };
-
-  xmlenc.encrypt(signed, encryptOptions, function(err, encrypted) {
-    if (err) return callback(err);
-    callback(null, utils.removeWhitespace(encrypted));
-  });
-}