Revert 2 (#10)

* initial commit

* Initial commit

* Add security notice to readme

* Added logic to error if the options are missing the identityProviderUrl login endpoint

* Updated the error message and added unit test cases

* Added pattern match for expected generated URL

* Switching from block-scoped declaration to var to fix TravisCI error

* 3.0.6

* Removing the moment package dependency and removing all imports of the package

* 3.0.7

* Fix issue with digest with extra whitespaces (auth0#70)

* Added digest issue test

* bumped library

* remove github tag

* Changed tag

* Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json

* Improve error message when signing certificate is invalid (auth0#72)

* Improve error message when the provided signing certificate is invalid

* Convert indentation to spaces

* Added tests for the encoded XML value in an AttributeValue field (auth0#74)

* Added tests for the encoded XML value in an AttributeValue field

* Updated the xmldom dependency to point to a release tag.

* 3.0.8 (auth0#73)

* Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77)

We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't.

We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible.

* 3.0.9

* fix signature location lookup

* Update the security notice file with a new entry.

* 3.0.10 (auth0#80)

* Handle exception when signing a malformed requestTemplate (auth0#88)

3.0.11 Handle exception when signing a malformed requestTemplate

* DF-38 Wrapping template parse to prevent uncaught (auth0#90)

## ✏️ Changes

There is a situation in which the @@ VAR @@ can get goofed up and
contain strings that will include part of the template itself. This will
not parse correctly and throws an exception in the replace phase of the
regex matching. I've wrapped it in a try/catch to prevent it from
bringing the process down.

Noting that this area looks problematic as it was recently patched in auth0#88

Version bumped to `3.0.12`.

## 🔗 References

[Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/)

## 🎯 Testing

✅ This change has unit test coverage

* Isolating handling of malformed template (auth0#93)

The `supplant` function will explode when a template is passed in this
manner, so this will return a corresponding error message when handing
the try/catch in this way.

If we add proper XML validation down the line, we can widen this out.

* Include option to check SAML certificate expiration (auth0#96)

* add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master

changes per machuga comments

changes per machuga comments

remove separate supported-versions list for saml

* restore test we lost in bad squash

* change some vars to lets and camel to snake case in tests

* add test to ensure we can allow expired certs if we choose to

* remove unneeded comment from tests

* Fix documentation for ADFS strategy configuration. (auth0#95)

* Tighten clock skew checks for SAML. (auth0#97)

Changing default clock skew to 3 minutes to adhere to standard industry practice.
Also make clock skew a configurable option.

* Use crypto randombytes for uniqueness (auth0#104)

* Use crypto randombytes for uniqueness

* Conform id length with the spec

* Added a variant of XSW test (auth0#107)

Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability.

* Add support of new error message format  (for OpenSSL errors) of Node.js (auth0#98)

fixes auth0#75

@machuga 
Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75`

* Add event for certificate expiration validation (auth0#114)

* Add event for certificate expiration validation

* emit always

* fix

* fix cert validation

* 3.0.14 (auth0#115)

* Fix x509 dependency (auth0#116)

* Fix x509 dependency

* 3.0.15

* change dependency

* fix cert validation (auth0#118)

* Catch x509 exeptions on invalid certificates (auth0#124)

* 3.0.17 (auth0#125)

* [Node 10] Update x509 (auth0#130)

* [Node 10] Update x509

* 4.0.0

* Update travis

* get rid of npm install

* Fix securty deps. (auth0#137)

* remove cryptiles
* bump xml-encryption
* express upgrade

* bump request version (auth0#138)

* Bump XML Crypto version (auth0#139)

* use last xml-crypto

* Change x509 dependency (auth0#142)

* 4.2.0

* Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145)

* new version: 4.3.0 (auth0#146)

* Move CI away from Travis and to Github Actions (auth0#147)

* Forgotten workflows folder (auth0#148)

* Run tests on all branch pushes and PRs (auth0#149)

* Use @auth0/xmldom (auth0#150)

Use custom npm lib with custom versions of xmldom

Tag v0.1.19-auth0.2 is now version v0.1.22

* Bump to 4.4.0 (auth0#151)

* add Destination & AssertionConsumerServiceURL as SAML req template vars

* 4.5.1 (auth0#155)

* Drop node 10, update/consolidate dev deps (auth0#157)

* Handle encoded CR entities in assertions (auth0#158)

* Allow options.assertionConsumerServiceURL or options.callback (auth0#156)

* Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159)

* chore(ci): configure Semantic Release publishing

* chore: use npm i instead of npm ci

* fix(pkg): upgrade xml-crypto to latest version

Addresses:
```
npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0
```

Co-authored-by: woloski <[email protected]>
Co-authored-by: German Lena <[email protected]>
Co-authored-by: Sandrino Di Mattia <[email protected]>
Co-authored-by: Mike Lee <[email protected]>
Co-authored-by: Mike Lee <[email protected]>
Co-authored-by: Marcos Castany <[email protected]>
Co-authored-by: Gustavo Narea <[email protected]>
Co-authored-by: Eduardo Diaz <[email protected]>
Co-authored-by: radekk <[email protected]>
Co-authored-by: Eduardo Diaz <[email protected]>
Co-authored-by: Matthew Machuga <[email protected]>
Co-authored-by: Robert <[email protected]>
Co-authored-by: Arkadiusz Kaɫkus <[email protected]>
Co-authored-by: gkwang <[email protected]>
Co-authored-by: Eva Sarafianou <[email protected]>
Co-authored-by: Fady Makram <[email protected]>
Co-authored-by: Jose Luis Diaz <[email protected]>
Co-authored-by: Yamil Asusta <[email protected]>
Co-authored-by: Robin Bijlani <[email protected]>
Co-authored-by: Hernan Zalazar <[email protected]>
Co-authored-by: Nico Sabena <[email protected]>
Co-authored-by: KalleV <[email protected]>

.gitignore

@@ -0,0 +1,6 @@
+node_modules
+.DS_Store
+package-lock.json
+*.log
+coverage
+.nyc_output

.jshintrc

@@ -0,0 +1,39 @@
+{
+  "camelcase": false,
+  "curly": false,
+
+  "node": true,
+  "esnext": true,
+  "bitwise": true,
+  "eqeqeq": true,
+  "immed": true,
+  "indent": 2,
+  "latedef": false,
+  "newcap": true,
+  "noarg": true,
+  "regexp": true,
+  "undef": true,
+  "strict": false,
+  "smarttabs": true,
+  "expr": true,
+
+  "evil": true,
+  "browser": true,
+  "regexdash": true,
+  "wsh": true,
+  "trailing": true,
+  "sub": true,
+  "unused": true,
+  "laxcomma": true,
+  "nonbsp": true,
+
+  "globals": {
+    "after": false,
+    "before": false,
+    "afterEach": false,
+    "beforeEach": false,
+    "describe": false,
+    "it": false,
+    "escape": false
+  }
+}

.npmignore

@@ -0,0 +1,13 @@
+*.md
+.DS_Store
+.vscode
+.git*
+Makefile
+docs/
+examples/
+support/
+test/
+coverage/
+.nyc_output/
+node_modules/
+package-lock.json

.npmrc

@@ -0,0 +1 @@
+package-lock=false

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Auth0, Inc. <[email protected]> (http://auth0.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,133 @@
+Passport-wsfed-saml2
+=============
+
+![Build Status](https://github.com/auth0/passport-wsfed-saml2/workflows/Tests/badge.svg)
+
+This is a ws-federation protocol + SAML2 tokens authentication provider for [Passport](http://passportjs.org/).
+
+The code was originally based on Henri Bergius's [passport-saml](https://github.com/bergie/passport-saml) library.
+
+Passport-wsfed-saml2 has been tested to work with both [Windows Azure Active Directory / Access Control Service](https://www.windowsazure.com/en-us/home/features/identity/) and with [Microsoft Active Directory Federation Services](http://en.wikipedia.org/wiki/Active_Directory_Federation_Services).
+
+## Installation
+
+    $ npm install passport-wsfed-saml2
+
+## Usage
+
+### Configure strategy
+
+This example utilizes a development namespace (auth10-dev) on [Windows Azure Access Control Service](https://www.windowsazure.com/en-us/home/features/identity/) and is using Google as the only identity provider configured for the sample application.
+
+
+```javascript
+passport.use(new wsfedsaml2(
+  {
+    path: '/login/callback',
+    realm: 'urn:node:app',
+    homeRealm: '', // optionally specify an identity provider to avoid showing the idp selector
+    identityProviderUrl: 'https://auth10-dev.accesscontrol.windows.net/v2/wsfederation',
+    cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg='
+  },
+  function(profile, done) {
+    findByEmail(profile.email, function(err, user) {
+      if (err) {
+        return done(err);
+      }
+      return done(null, user);
+    });
+  })
+));
+```
+
+### Provide the authentication callback
+
+You need to provide a route corresponding to the `path` configuration parameter given to the strategy:
+
+```javascript
+app.post('/login/callback',
+  passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }),
+  function(req, res) {
+    res.redirect('/');
+  }
+);
+```
+
+### Jwt
+
+Although this started as wsfed&saml we added support for wsfed&jwt. Usage is
+
+~~~javascript
+passport.use(new wsfedsaml2(
+  {
+    jwt: {
+      //same options than node-jsonwebtoken
+      algorithm: 'RS256'
+    },
+    cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5RBvaQdlFltDzANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTEwOTIxMDMzMjMyWhcNMTIwOTIwMDkzMjMyWjAvMS0wKwYDVQQDEyRhdXRoMTAtZGV2LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEIAEB/KKT3ehNMy2MQEyJIQ14CnZ8DC2FZgL5Gw3UBSdRb9JinK/gw7yOQtwKfJUqeoZaUSAAdcdbgqwVxOnMBfWiYX7DGlEznSfqYVnjOWjqqjpoe0h6RaOkdWovDtoidmqVV1tWRJFjkj895clPxkLpnqqcycfXtSdZen0SroGyirD2mhMc9ccLbJ3zRnBNjlvpo5zow1zYows09tNC2EhGROL/OS4JNRQnJRICZC+WkA7Igf3xb4btJOzIPYhFiqCGrd/81CHmAyEuNzyc60I5yomDQfZ91Eb5Uk3F7mlfAlYB2aZwDwldLSOlVE8G1E5xFexF/5KyPC4ShNodAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUyYfx/r0czsPgTzitqey+fGMQpkcwDQYJKoZIhvcNAQEFBQADggEBAB5dgQlM3tKS+/cjlvMCPjZH0Iqo/Wxecri3YWi2iVziZ/TQ3dSV+J/iTyduN7rJmFQzTsNERcsgyAwblwnEKXXvlWo8G/+VDIMh3zVPNQFKns5WPkfkhoSVlnZPTQ8zdXAcWgDXbCgvdqIPozdgL+4l0W0XVL1ugA4/hmMXh4TyNd9Qj7MWvlmwVjevpSqN4wG735jAZFHb/L/vvc91uKqP+JvLNj8tPFVxatzi56X1V8jBM61Hx1Z9D0RCDjtmcQVysVEylW9O6mNy6ZrhLm0q5yecWudfBbTKDqRoCHQRjrMU2c5q/ZFDtgjLim7FaNxFbgTyjeRCPclEhfemYVg='
+  },
+  function(profile, done) {
+    findByEmail(profile.email, function(err, user) {
+      if (err) {
+        return done(err);
+      }
+      return done(null, user);
+    });
+  })
+));
+~~~
+
+### Configure strategy for ADFS (WS-Fed)
+
+This example utilizes a strategy with ADFS using WS-Fed.
+
+```javascript
+passport.use('wsfed-saml2', new wsfedsaml2({
+	// ADFS RP identifier
+	realm: 'urn:node:wsfedapp',
+	identityProviderUrl: 'https://my-adfs/adfs/ls',
+	// ADFS token signing certificate
+	thumbprint: '5D27....D27E'
+	// or cert: fs.readFileSync("adfs_signing_key.cer")
+}, function (profile, done) {
+ // ...
+}));
+
+```
+
+### Configure strategy for ADFS (SAMLp)
+
+This example utilizes a strategy using SAMLp and RP token encryption.
+
+```javascript
+passport.use('wsfed-saml2', new wsfedsaml2({
+	// ADFS RP identifier
+	realm: 'urn:node:samlapp',
+	identityProviderUrl: 'https://my-adfs/adfs/ls',
+    // ADFS token signing certificate
+    thumbprint: '5D27...D27E',
+	// or cert: fs.readFileSync("adfs_signing_key.cer")
+    protocol: "samlp",
+	// This is the private key (use case where ADFS
+	// is configured for RP token encryption)
+    decryptionKey: fs.readFileSync("server.key")
+}, function (profile, done) {
+ // ...
+}));
+```
+
+## Issue Reporting
+
+If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
+
+## Security Notice
+
+The [Security Notice](SECURITY-NOTICE.md) lists the version that is vulnerable and the actions that are required to upgrade to the latest version.
+
+## Author
+
+[Auth0](auth0.com)
+
+## License
+
+This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.

SECURITY-NOTICE.md

@@ -0,0 +1,47 @@
+Security vulnerability details for passport-wsfed-saml2 < 3.0.10
+===============================================================
+
+A vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the "Signature" tag is at the proper location inside an "Assertion" tag. This leads to a signature relocation attack where the attacker can corrupt one field of data while
+maintaining the signature valid. This could allow an authenticated attacker to "remove" one group from his assertion or corrupt another field of an assertion.
+
+Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries. See below:
+
+```
+{
+  "dependencies": {
+    "passport-wsfed-saml2": "^3.0.10"
+  }
+}
+```
+
+## Upgrade Notes
+
+This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.
+
+You can read more details regarding the vulnerability [here](https://auth0.com/docs/security/bulletins/cve-2018-8085).
+
+
+
+Security vulnerability details for passport-wsfed-saml2 < 3.0.5
+===============================================================
+
+A vulnerability has been discovered in the passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider:
+
+* signs SAML response and signs assertion
+* does not sign SAML response and signs assertion
+
+Developers using the passport-wsfed-saml2 Passport Strategy need to upgrade to the latest version: 3.0.5.
+
+Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries. See below:
+
+```
+{
+  "dependencies": {
+    "passport-wsfed-saml2": "^3.0.5"
+  }
+}
+```
+
+## Upgrade Notes
+
+This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.

examples/auth0/app.js

@@ -0,0 +1,90 @@
+var express = require('express');
+var passport = require('passport');
+var Strategy = require('../../lib/passport-wsfed-saml2/index').Strategy;
+var http = require('http');
+
+passport.serializeUser(function(user, done) {
+  done(null, user);
+});
+
+passport.deserializeUser(function(id, done) {
+  done(null, id);
+});
+
+passport.use(new Strategy(
+  {
+    protocol: 'samlp',
+    path: '/login/callback',
+    realm: 'urn:saml-example',
+    homeRealm: '',
+    // identityProviderUrl: 'https://mdocs.auth0.com/samlp/dVrQZOG4gkBhzcLartSgW2v7kSnvW5XR?connection=github',
+    // thumbprint: 'c5b930896e3f4e2cc1d6d1ceb68f4d3de90deee6'
+    identityProviderUrl: 'https://login0.myauth0.com/samlp/wklezTET2P3iYA54Sraju8qFN0ohdI0G',
+    thumbprints: ['dba77ba142ff38d5076b4310700709c470d53790']
+  }, function(profile, done) {
+    console.log("Auth with", profile);
+    if (!profile.email) {
+      return done(new Error("No email found"), null);
+    }
+    done(null, profile);
+  }
+));
+
+var app = express();
+
+// configure Express
+app.configure(function() {
+  app.set('views', __dirname + '/views');
+  app.set('view engine', 'ejs');
+  app.use(express.logger());
+  app.use(express.cookieParser());
+  app.use(express.bodyParser());
+  app.use(express.methodOverride());
+  app.use(express.session({ secret: 'keyboard cat' }));
+  app.use(passport.initialize());
+  app.use(passport.session());
+  app.use(app.router);
+  app.use(express.static(__dirname + '/../../public'));
+});
+
+
+app.get('/', function(req, res){
+  res.render('index', { user: req.user });
+});
+
+app.get('/account', ensureAuthenticated, function(req, res){
+  res.render('account', { user: req.user });
+});
+
+app.get('/login',
+  passport.authenticate('wsfed-saml2', { failureRedirect: '/', forceAuthn: true }),
+  function(req, res) {
+    res.redirect('/');
+  }
+);
+
+app.post('/login/callback',
+  passport.authenticate('wsfed-saml2', { failureRedirect: '/' }),
+  function(req, res) {
+    res.redirect('/');
+  }
+);
+
+app.get('/logout', function(req, res){
+  req.logout();
+  res.redirect('/');
+});
+
+http.createServer(app).listen(3000, function () {
+  console.log("Server listening in http://localhost:3000");
+});
+
+// Simple route middleware to ensure user is authenticated.
+//   Use this route middleware on any resource that needs to be protected.  If
+//   the request is authenticated (typically via a persistent login session),
+//   the request will proceed.  Otherwise, the user will be redirected to the
+//   login page.
+function ensureAuthenticated(req, res, next) {
+  if (req.isAuthenticated()) { return next(); }
+  res.redirect('/login');
+}

examples/auth0/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "passport-azure-acs-sample",
+  "version": "0.0.0",
+  "dependencies": {
+    "express": ">= 0.0.0",
+    "ejs": ">= 0.0.0",
+    "passport": ">= 0.0.0",
+    "passport-azure-acs": ">= 0.0.0"
+  }
+}

examples/auth0/views/account.ejs

@@ -0,0 +1,2 @@
+<p>ID: <%= user.id %></p>
+<p>Name: <%= user.displayName %></p>

examples/auth0/views/index.ejs

@@ -0,0 +1,5 @@
+<% if (!user) { %>
+<h2>Welcome! Please log in.</h2>
+<% } else { %>
+<h2>Hello, <%= user.email %>.</h2>
+<% } %>