Merge branch 'develop'

save
2024-05-01 11:24:52 +02:00 · 2017-05-19 18:09:20 +02:00 · 2017-05-19 18:09:20 +02:00 · 4dd7f8c6cd
parent 35b47b6718 ccda77afad
commit 4dd7f8c6cd
5 changed files with 64 additions and 279 deletions
--- a/.npm/package/npm-shrinkwrap.json
+++ b/.npm/package/npm-shrinkwrap.json
@ -1,249 +0,0 @@
-{
-  "dependencies": {
-    "async": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/async/-/async-2.3.0.tgz",
-      "from": "async@2.3.0"
-    },
-    "body-parser": {
-      "version": "1.17.1",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.17.1.tgz",
-      "from": "body-parser@1.17.1",
-      "dependencies": {
-        "bytes": {
-          "version": "2.4.0",
-          "resolved": "https://registry.npmjs.org/bytes/-/bytes-2.4.0.tgz",
-          "from": "bytes@2.4.0"
-        },
-        "debug": {
-          "version": "2.6.1",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.1.tgz",
-          "from": "debug@2.6.1"
-        },
-        "ms": {
-          "version": "0.7.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.2.tgz",
-          "from": "ms@0.7.2"
-        }
-      }
-    },
-    "bytes": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/bytes/-/bytes-2.5.0.tgz",
-      "from": "bytes@2.5.0"
-    },
-    "connect": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/connect/-/connect-3.6.0.tgz",
-      "from": "connect@3.6.0",
-      "dependencies": {
-        "debug": {
-          "version": "2.6.1",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.1.tgz",
-          "from": "debug@2.6.1"
-        },
-        "ms": {
-          "version": "0.7.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.2.tgz",
-          "from": "ms@0.7.2"
-        }
-      }
-    },
-    "content-type": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.2.tgz",
-      "from": "content-type@1.0.2"
-    },
-    "debug": {
-      "version": "2.6.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.3.tgz",
-      "from": "debug@2.6.3",
-      "dependencies": {
-        "ms": {
-          "version": "0.7.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.2.tgz",
-          "from": "ms@0.7.2"
-        }
-      }
-    },
-    "depd": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.0.tgz",
-      "from": "depd@1.1.0"
-    },
-    "ee-first": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
-      "from": "ee-first@1.1.1"
-    },
-    "ejs": {
-      "version": "2.5.6",
-      "resolved": "https://registry.npmjs.org/ejs/-/ejs-2.5.6.tgz",
-      "from": "ejs@2.5.6"
-    },
-    "encodeurl": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.1.tgz",
-      "from": "encodeurl@>=1.0.1 <1.1.0"
-    },
-    "escape-html": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
-      "from": "escape-html@>=1.0.3 <1.1.0"
-    },
-    "finalhandler": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.0.0.tgz",
-      "from": "finalhandler@1.0.0",
-      "dependencies": {
-        "debug": {
-          "version": "2.6.1",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.1.tgz",
-          "from": "debug@2.6.1"
-        },
-        "ms": {
-          "version": "0.7.2",
-          "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.2.tgz",
-          "from": "ms@0.7.2"
-        }
-      }
-    },
-    "http-errors": {
-      "version": "1.6.1",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.6.1.tgz",
-      "from": "http-errors@1.6.1"
-    },
-    "iconv-lite": {
-      "version": "0.4.15",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.15.tgz",
-      "from": "iconv-lite@0.4.15"
-    },
-    "inherits": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz",
-      "from": "inherits@2.0.3"
-    },
-    "lodash": {
-      "version": "4.17.4",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz",
-      "from": "lodash@4.17.4"
-    },
-    "media-typer": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
-      "from": "media-typer@0.3.0"
-    },
-    "mime-db": {
-      "version": "1.27.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.27.0.tgz",
-      "from": "mime-db@>=1.27.0 <1.28.0"
-    },
-    "mime-types": {
-      "version": "2.1.15",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.15.tgz",
-      "from": "mime-types@2.1.15"
-    },
-    "ms": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-1.0.0.tgz",
-      "from": "ms@1.0.0"
-    },
-    "node-forge": {
-      "version": "0.7.1",
-      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-0.7.1.tgz",
-      "from": "node-forge@0.7.1"
-    },
-    "on-finished": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz",
-      "from": "on-finished@2.3.0"
-    },
-    "parseurl": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.1.tgz",
-      "from": "parseurl@>=1.3.1 <1.4.0"
-    },
-    "qs": {
-      "version": "6.4.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.4.0.tgz",
-      "from": "qs@6.4.0"
-    },
-    "querystring": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/querystring/-/querystring-0.2.0.tgz",
-      "from": "querystring@0.2.0"
-    },
-    "raw-body": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.2.0.tgz",
-      "from": "raw-body@2.2.0",
-      "dependencies": {
-        "bytes": {
-          "version": "2.4.0",
-          "resolved": "https://registry.npmjs.org/bytes/-/bytes-2.4.0.tgz",
-          "from": "bytes@2.4.0"
-        }
-      }
-    },
-    "sax": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.2.tgz",
-      "from": "sax@1.2.2"
-    },
-    "setprototypeof": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.0.3.tgz",
-      "from": "setprototypeof@1.0.3"
-    },
-    "statuses": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.3.1.tgz",
-      "from": "statuses@1.3.1"
-    },
-    "type-is": {
-      "version": "1.6.15",
-      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.15.tgz",
-      "from": "type-is@1.6.15"
-    },
-    "unpipe": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
-      "from": "unpipe@1.0.0"
-    },
-    "utils-merge": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.0.tgz",
-      "from": "utils-merge@1.0.0"
-    },
-    "xml-crypto": {
-      "version": "0.9.0",
-      "resolved": "https://registry.npmjs.org/xml-crypto/-/xml-crypto-0.9.0.tgz",
-      "from": "xml-crypto@0.9.0"
-    },
-    "xml2js": {
-      "version": "0.4.17",
-      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.17.tgz",
-      "from": "xml2js@0.4.17"
-    },
-    "xmlbuilder": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-4.2.1.tgz",
-      "from": "xmlbuilder@>=4.1.0 <5.0.0"
-    },
-    "xmldom": {
-      "version": "0.1.19",
-      "resolved": "https://registry.npmjs.org/xmldom/-/xmldom-0.1.19.tgz",
-      "from": "xmldom@0.1.19"
-    },
-    "xpath": {
-      "version": "0.0.24",
-      "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.24.tgz",
-      "from": "xpath@0.0.24"
-    },
-    "xpath.js": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/xpath.js/-/xpath.js-1.0.7.tgz",
-      "from": "xpath.js@1.0.7"
-    }
-  }
-}
--- a/README.md
+++ b/README.md
@ -31,6 +31,9 @@ settings = {"saml":[{
     "privateKeyFile": "certs/mykey.pem",  // path is relative to $METEOR-PROJECT/private
     "publicCertFile": "certs/mycert.pem",  // eg $METEOR-PROJECT/private/certs/mycert.pem
     "dynamicProfile": true // set to true if we want to create a user in Meteor.users dynamically if SAML assertion is valid
+     "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", // Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+     "localProfileMatchAttribute": "telephoneNumber" // CAUTION: this will be mapped to profile.<localProfileMatchAttribute> attribute in Mongo if identifierFormat (see above) differs from urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+
  }]}

 Meteor.settings = settings;
--- a/package.js
+++ b/package.js
@ -23,6 +23,7 @@ Package.onTest((api) => {

 Npm.depends({
    "depd": "1.1.0",
+        "xml-crypto": "0.9.0",
    "bytes": "2.5.0",
    "content-type": "1.0.2",
    "debug": "2.6.3",
@ -43,7 +44,7 @@ Npm.depends({
    "xml2js": "0.4.17",
    "body-parser": "1.17.1",
    "sax": "1.2.2",
-    "xmlbuilder": "8.2.2",
+    "xmlbuilder": "9.0.0",
    "ejs": "2.5.6",
    "async": "2.3.0",
    "lodash":"4.17.4",
@ -52,7 +53,13 @@ Npm.depends({
    "xpath.js": "1.0.7",
    "xmldom": "0.1.27",
    "connect": "3.6.0",
-    "querystring": "0.2.0",
-    "xml-encryption": "0.10.0",
-    "xml-crypto": "0.9.0"
+    "querystring": "0.2.0"
+//    "xml-encryption": "0.10.0"
 });
+
+// Npm.depends({
+//     "depd": "1.1.0",
+//     "xml-crypto": "0.9.0",
+//     "xmlbuilder": "9.0.0",
+//     "xml2js": "0.4.17"
+// });
--- a/saml_server.js
+++ b/saml_server.js
@ -71,28 +71,61 @@ Accounts.registerLoginHandler(function(loginRequest) {
    if (Meteor.settings.debug) {
        console.log("RESULT :" + JSON.stringify(loginResult));
    }
-    if (loginResult && loginResult.profile && loginResult.profile.email) {
-        console.log("Profile: " + JSON.stringify(loginResult.profile.email));
+
+    if (loginResult && loginResult.profile && loginResult.profile.nameID) {
+        console.log("Profile: " + JSON.stringify(loginResult.profile.nameID));
+        var localProfileMatchAttribute;
+        var localFindStructure;
+        var nameIDFormat;
+        // Default nameIDFormat is emailAddress
+        if (!(Meteor.settings.saml[0].identifierFormat) || (Meteor.settings.saml[0].identifierFormat == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")) {
+          nameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
+        } else {
+          nameIDFormat = Meteor.settings.saml[0].identifierFormat;
+        }
+
+        if (nameIDFormat == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ) {
+            // If nameID Format is emailAdress, we should not force 'email' as localProfileMatchAttribute
+            localProfileMatchAttribute = "email";
+            localFindStructure = "emails.address";
+            profileOrEmail = "email";
+            profileOrEmailValue = loginResult.profile.nameID;
+        } else // any other nameID format
+            // Check if Meteor.settings.saml[0].localProfileMatchAttribute has value
+            // These values will be stored in profile substructure. They're NOT security relevant because profile isn't a safe place
+            if (Meteor.settings.saml[0].localProfileMatchAttribute){
+               profileOrEmail = "profile";
+               profileOrEmailValue = {
+                  [Meteor.settings.saml[0].localProfileMatchAttribute] : loginResult.profile.nameID
+               };
+               localFindStructure = 'profile.' + Meteor.settings.saml[0].localProfileMatchAttribute;
+        }
        var user = Meteor.users.findOne({
-            'emails.address': loginResult.profile.email
+            //profile[Meteor.settings.saml[0].localProfileMatchAttribute]: loginResult.profile.nameID
+            [localFindStructure]: loginResult.profile.nameID
        });

        if (!user) {
            if (Meteor.settings.saml[0].dynamicProfile) {
+                if (Meteor.settings.debug) {
+                    console.log("User not found. Will dynamically create one with '" + Meteor.settings.saml[0].localProfileMatchAttribute + "' = " + loginResult.profile[Meteor.settings.saml[0].localProfileMatchAttribute])
+                }
                Accounts.createUser({
-                    email: loginResult.profile.email,
+                    //email: loginResult.profile.email,
                    password: "",
                    username: loginResult.profile.nameID,
-                    profile: ""
+                    [profileOrEmail]:  profileOrEmailValue
+
+                    //[Meteor.settings.saml[0].localProfileMatchAttribute]: loginResult.profile[Meteor.settings.saml[0].localProfileMatchAttribute]
                });
                user = Meteor.users.findOne({
-                    "emails.address": loginResult.profile.email
+                    "username": loginResult.profile.nameID
                });
                if (Meteor.settings.debug) {
                    console.log("Created new user");
                }
            } else {
-                throw new Error("Could not find an existing user with supplied email " + loginResult.profile.email);
+                throw new Error("Could not find an existing user with supplied attribute  '" + Meteor.settings.saml[0].localProfileMatchAttribute + "' and value:" + loginResult.profile[Meteor.settings.saml[0].localProfileMatchAttribute]);
            }
        }

@ -142,7 +175,7 @@ Accounts.registerLoginHandler(function(loginRequest) {
        return result

    } else {
-        throw new Error("SAML Profile did not contain an email address");
+        throw new Error("SAML Assertion did not contain a proper SAML subject value");
    }
 });

@ -273,6 +306,9 @@ middleware = function(req, res, next) {
                break;
            case "validate":
                _saml = new SAML(service);
+                if (Meteor.settings.debug) {
+                  console.log("Service: " + JSON.stringify(service));
+                };
                Accounts.saml.RelayState = req.body.RelayState;
                _saml.validateResponse(req.body.SAMLResponse, req.body.RelayState, function(err, profile, loggedOut) {
                    if (err)
--- a/saml_utils.js
+++ b/saml_utils.js
@ -485,24 +485,12 @@ SAML.prototype.generateServiceProviderMetadata = function(callbackUrl) {
 					}
 				}
 			},
-			'#list': [
-				// this should be the set that the xmlenc library supports
-				{
-					'EncryptionMethod': {
-						'@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
-					}
-				},
-				{
-					'EncryptionMethod': {
-						'@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
-					}
-				},
-				{
-					'EncryptionMethod': {
-						'@Algorithm': 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
-					}
-				}
-			]
+					'EncryptionMethod': [
+						// this should be the set that the xmlenc library supports
+						{'@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'},
+						{'@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'},
+						{'@Algorithm': 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'}
+					]
 		};
 	}