Bump XML Crypto version (#139)

* use last xml-crypto

lib/passport-wsfed-saml2/samlp.js

@@ -106,6 +106,25 @@ var algorithms = {
   }
 };
 
+function collectAncestorNamespaces(node, nameSpaces = [], maxDeep = 5){
+  if (!(node && node.parentNode) || maxDeep <= 0) {
+    return nameSpaces;
+  }
+
+  const parent = node.parentNode;
+
+  if(parent.attributes && parent.attributes.length > 0){
+    for(let i=0;i<parent.attributes.length;i++){
+      const attr = parent.attributes[i];
+      if(attr && attr.nodeName && attr.nodeName.search(/^xmlns:/) !== -1){
+        nameSpaces.push({key: attr.nodeName, value: attr.nodeValue});
+      }
+    }
+  }
+
+  return collectAncestorNamespaces(parent, nameSpaces, maxDeep - 1);
+}
+
 Samlp.prototype = {
   getSamlRequestParams: function (opts, callback) {
     var options = xtend(opts || {}, this.options);
@@ -179,7 +198,7 @@ Samlp.prototype = {
         try {
           sig.computeSignature(SAMLRequest, { location: { reference: "//*[local-name(.)='Issuer']", action: 'after' } }); // Signature element must be located after Issuer
         } catch (e) {
-          return callback(new Error(e));
+          return callback(new Error('fail to compute signature'));
         }
 
         SAMLRequest = trimXml(sig.getSignedXml());
@@ -257,20 +276,24 @@ Samlp.prototype = {
 
   extractAssertion: function(samlpResponse, callback) {
     samlpResponse = utils.parseSamlResponse(samlpResponse);
+    const saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion';
 
-    var saml2Namespace = 'urn:oasis:names:tc:SAML:2.0:assertion';
-    var done = function (err, assertion) {
-      if (err) { return callback(err); }
+    function done(err, assertion) {
+      if (err) {
+        return callback(err);
+      }
 
       assertion = utils.parseSamlAssertion(assertion);
 
-      // if saml assertion has a prefix but namespace is defined on parent, copy it to assertion
-      if (assertion && assertion.prefix && !assertion.getAttributeNS(saml2Namespace, assertion.prefix)) {
-        assertion.setAttribute('xmlns:' + assertion.prefix, assertion.lookupNamespaceURI(assertion.prefix));
-      }
+      // copy all ancestor namespaces see https://github.com/auth0/xml-crypto/blob/d36a1bc0af40a5a3eec9c0c7b6b3f87bb0a0bca1/lib/signed-xml.js#L390-L392
+      // When we extract the assertion for later usage, this assertion wont include all name spaces. All namespaces from parents
+      // nodes are used to calculate the digest.
+      collectAncestorNamespaces(assertion)
+        .filter((attr) => !assertion.getAttribute(attr.key))
+        .forEach((attr) => assertion.setAttribute(attr.key, attr.value));
 
       callback(null, assertion);
-    };
+    }
 
     var foundAssertions = xpath.select("//*[local-name(.)='Assertion']", samlpResponse);
     if (foundAssertions.length > 1) {

lib/passport-wsfed-saml2/utils.js

@@ -10,6 +10,11 @@ const CERT_END = "\n-----END CERTIFICATE-----\n";
 
 exports.certToPEM = (cert) => CERT_START + cert.match(/.{1,64}/g).join('\n') + CERT_END;
 
+// convert from \r\n -> \n this should be done by the xml parser, but is ignoring this.
+function crlf2lf(string) {
+  return string.replace(/\r\n?/g, '\n');
+}
+
 exports.getSamlAssertionVersion = function(samlAssertion){
   if (samlAssertion.getAttribute('MajorVersion') === '1') {
     return '1.1';
@@ -20,12 +25,12 @@ exports.getSamlAssertionVersion = function(samlAssertion){
     return undefined;
   }
 
-}
+};
 
 exports.parseSamlAssertion = function(xml) {
   if (typeof xml === 'string') {
     try {
-      return new xmldom.DOMParser().parseFromString(xml);
+      return new xmldom.DOMParser().parseFromString(crlf2lf(xml));
     } catch (e) {
       throw new SamlAssertionParserError('SAML Assertion should be a valid xml', e);
     }
@@ -37,7 +42,7 @@ exports.parseSamlAssertion = function(xml) {
 exports.parseSamlResponse = function(xml) {
   if (typeof xml === 'string') {
     try {
-      return new xmldom.DOMParser().parseFromString(xml);
+      return new xmldom.DOMParser().parseFromString(crlf2lf(xml));
     } catch (e) {
       throw new SamlResponseParserError('SAMLResponse should be a valid xml', e);
     }
@@ -49,7 +54,7 @@ exports.parseSamlResponse = function(xml) {
 exports.parseWsFedResponse = function(xml) {
   if (typeof xml === 'string') {
     try {
-      return new xmldom.DOMParser().parseFromString(xml);
+      return new xmldom.DOMParser().parseFromString(crlf2lf(xml));
     } catch (e) {
       throw new WSFederationResultParserError('wresult should be a valid xml', e);
     }
@@ -69,7 +74,7 @@ exports.generateUniqueID = function() {
 
 exports.getEncoding = function(xml){
   try{
-    const response = new xmldom.DOMParser().parseFromString(xml);
+    const response = new xmldom.DOMParser().parseFromString(crlf2lf(xml));
     // <?xml version="1.0" encoding="XXXX"?> -> read encoding
     if (response.firstChild && response.firstChild.tagName == 'xml'){
       const regex = /(?:encoding=\")([^\"]*)(?:\")/g;
@@ -84,7 +89,7 @@ exports.getEncoding = function(xml){
   } catch(e){
     return;
   }
-}
+};
 
 /**
  * Safely compare two string. Type validation and length comparison are inspired in the

package.json

@@ -1,6 +1,6 @@
 {
   "name": "passport-wsfed-saml2",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "description": "SAML2 Protocol and WS-Fed library",
   "scripts": {
     "test": "mocha --reporter spec --recursive"
@@ -25,10 +25,10 @@
     "uid2": "0.0.x",
     "valid-url": "^1.0.9",
     "x509": "^0.3.4",
-    "xml-crypto": "auth0/xml-crypto#fix-digest",
+    "xml-crypto": "auth0/xml-crypto#v1.4.1-auth0.2",
     "xml-encryption": "auth0/node-xml-encryption#v0.12.0",
     "xml2js": "0.1.x",
-    "xmldom": "auth0/xmldom#v0.1.19-auth0_1",
+    "xmldom": "auth0/xmldom#v0.1.19-auth0.2",
     "xpath": "0.0.5",
     "xtend": "~2.0.3"
   },
@@ -46,7 +46,7 @@
     "wsfed": "~0.3.5"
   },
   "engines": {
-    "node": ">= 0.6.0"
+    "node": ">= 4"
   },
   "licenses": [
     {