Require document signature; add option disable (#83)

cjbarth · web-flow · commit 187f8ae6da4a · 2022-09-20T15:45:14.000-04:00
diff --git a/README.md b/README.md
@@ -60,6 +60,7 @@ const saml = new SAML(options);
 - `allowCreate`: grants permission to the identity provider to create a new subject identifier (default: `true`)
 - `spNameQualifier`: optionally specifies that the assertion subject's identifier be returned (or created) in the namespace of another service provider, or in the namespace of an affiliation of service providers
 - `wantAssertionsSigned`: if truthy, add `WantAssertionsSigned="true"` to the metadata, to specify that the IdP should always sign the assertions.
+- `wantAuthnResponseSigned`: if true, require that all incoming authentication response messages be signed at the top level, not just at the assertions. It is on by default.
 - `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps. Setting to `-1` will disable checking these conditions entirely. Default is `0`.
 - `maxAssertionAgeMs`: Amount of time after which the framework should consider an assertion expired. If the limit imposed by this variable is stricter than the limit imposed by `NotOnOrAfter`, this limit will be used when determining if an assertion is expired.
 - `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
diff --git a/src/saml.ts b/src/saml.ts
@@ -77,6 +77,7 @@ class SAML {
     assertBooleanIfPresent(ctorOptions.disableRequestAcsUrl);
     assertBooleanIfPresent(ctorOptions.allowCreate);
     assertBooleanIfPresent(ctorOptions.wantAssertionsSigned);
+    assertBooleanIfPresent(ctorOptions.wantAuthnResponseSigned);
     assertBooleanIfPresent(ctorOptions.signMetadata);
 
     const options: SamlOptions = {
@@ -102,6 +103,7 @@ class SAML {
       allowCreate: ctorOptions.allowCreate ?? true,
       spNameQualifier: ctorOptions.spNameQualifier,
       wantAssertionsSigned: ctorOptions.wantAssertionsSigned ?? false,
+      wantAuthnResponseSigned: ctorOptions.wantAuthnResponseSigned ?? true,
       authnContext: ctorOptions.authnContext ?? [
         "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
       ],
@@ -692,6 +694,10 @@ class SAML {
         validSignature = true;
       }
 
+      if (this.options.wantAuthnResponseSigned === true && validSignature === false) {
+        throw new Error("Invalid document signature");
+      }
+
       const assertions = xpath.selectElements(
         doc,
         "/*[local-name()='Response']/*[local-name()='Assertion']"
diff --git a/src/types.ts b/src/types.ts
@@ -135,6 +135,7 @@ export interface SamlOptions extends Partial<SamlSigningOptions>, MandatorySamlO
   audience: string | false;
   scoping?: SamlScopingConfig;
   wantAssertionsSigned: boolean;
+  wantAuthnResponseSigned: boolean;
   maxAssertionAgeMs: number;
   generateUniqueId: () => string;
   signMetadata: boolean;
diff --git a/test/test-signatures.spec.ts b/test/test-signatures.spec.ts
@@ -10,6 +10,7 @@ const cert = fs.readFileSync(__dirname + "/static/cert.pem", "ascii");
 
 describe("Signatures", function () {
   const INVALID_SIGNATURE = "Invalid signature",
+    INVALID_DOCUMENT_SIGNATURE = "Invalid document signature",
     INVALID_ENCRYPTED_SIGNATURE = "Invalid signature from encrypted assertion",
     INVALID_TOO_MANY_TRANSFORMS = "Invalid signature, too many transforms",
     createBody = (pathToXml: string) => ({
@@ -22,18 +23,26 @@ describe("Signatures", function () {
       options: Partial<SamlConfig> = {}
     ) => {
       //== Instantiate new instance before every test
-      const samlObj = new SAML({ cert, issuer: options.issuer ?? "onesaml_login", ...options });
+      const samlObj = new SAML({
+        cert,
+        issuer: options.issuer ?? "onesaml_login",
+        wantAuthnResponseSigned: false,
+        ...options,
+      });
+
       //== Spy on `validateSignature` to be able to count how many times it has been called
       const validateSignatureSpy = sinon.spy(xml, "validateSignature");
 
-      //== Run the test in `func`
-      await assert.rejects(samlObj.validatePostResponseAsync(samlResponseBody), {
-        message: shouldErrorWith || "SAML assertion expired: clocks skewed too much",
-      });
-      //== Assert times `validateSignature` was called
-      expect(validateSignatureSpy.callCount).to.equal(amountOfSignatureChecks);
-
-      validateSignatureSpy.restore();
+      try {
+        //== Run the test in `func`
+        await assert.rejects(samlObj.validatePostResponseAsync(samlResponseBody), {
+          message: shouldErrorWith || "SAML assertion expired: clocks skewed too much",
+        });
+        //== Assert times `validateSignature` was called
+        expect(validateSignatureSpy.callCount).to.equal(amountOfSignatureChecks);
+      } finally {
+        validateSignatureSpy.restore();
+      }
     },
     testOneResponse = (
       pathToXml: string,
@@ -57,6 +66,12 @@ describe("Signatures", function () {
       "R1A - both signed => valid",
       testOneResponse("/valid/response.root-signed.assertion-signed.xml", false, 1)
     );
+    it(
+      "R1A - root signed, root signiture required => valid",
+      testOneResponse("/valid/response.root-signed.assertion-unsigned.xml", false, 1, {
+        issuer: "onesaml_login",
+      })
+    );
     it(
       "R1A - root signed => valid",
       testOneResponse("/valid/response.root-signed.assertion-unsigned.xml", false, 1)
@@ -67,6 +82,18 @@ describe("Signatures", function () {
     );
 
     //== INVALID
+    it(
+      "R1A - root not signed, but required, asrt signed => error",
+      testOneResponse(
+        "/valid/response.root-unsigned.assertion-signed.xml",
+        INVALID_DOCUMENT_SIGNATURE,
+        1,
+        {
+          wantAuthnResponseSigned: true,
+          issuer: "onesaml_login",
+        }
+      )
+    );
     it(
       "R1A - none signed => error",
       testOneResponse(
diff --git a/test/tests.spec.ts b/test/tests.spec.ts
@@ -700,6 +700,7 @@ describe("node-saml /", function () {
         const samlObj = new SAML({
           cert: "-----BEGIN CERTIFICATE-----" + TEST_CERT + "-----END CERTIFICATE-----",
           issuer: "onesaml_login",
+          wantAuthnResponseSigned: false,
         });
         await assert.rejects(samlObj.validatePostResponseAsync(container), {
           message: /Responder.*Required NameID format not supported/,
@@ -711,7 +712,11 @@ describe("node-saml /", function () {
           '<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost/browserSamlLogin" ID="_6a377272c8662561acf1056274ef3f81" InResponseTo="_4324fb0d00661146f7dc" IssueInstant="2014-07-02T18:16:31.278Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode></saml2p:Status></saml2p:Response>';
         const base64xml = Buffer.from(xml).toString("base64");
         const container = { SAMLResponse: base64xml };
-        const samlObj = new SAML({ cert: FAKE_CERT, issuer: "onesaml_login" });
+        const samlObj = new SAML({
+          cert: FAKE_CERT,
+          issuer: "onesaml_login",
+          wantAuthnResponseSigned: false,
+        });
         await assert.rejects(samlObj.validatePostResponseAsync(container), {
           message: /Responder.*InvalidNameIDPolicy/,
         });
@@ -911,6 +916,7 @@ describe("node-saml /", function () {
                 cert: TEST_CERT,
                 validateInResponseTo,
                 issuer: "onesaml_login",
+                wantAuthnResponseSigned: false,
               };
               const samlObj = new SAML(samlConfig);
 
@@ -948,11 +954,13 @@ describe("node-saml /", function () {
           cert: TEST_CERT,
           audience: false,
           issuer: "onesaml_login",
+          wantAuthnResponseSigned: false,
         };
         const noAudienceSamlConfig: SamlConfig = {
           entryPoint: "https://app.onelogin.com/trust/saml2/http-post/sso/371755",
           cert: TEST_CERT,
           issuer: "onesaml_login",
+          wantAuthnResponseSigned: false,
         };
         const noCertSamlConfig: SamlConfig = {
           entryPoint: "https://app.onelogin.com/trust/saml2/http-post/sso/371755",
@@ -1199,6 +1207,7 @@ describe("node-saml /", function () {
             cert: [ALT_TEST_CERT, TEST_CERT],
             audience: false,
             issuer: "onesaml_login",
+            wantAuthnResponseSigned: false,
           };
           const xml =
             '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
@@ -1222,6 +1231,7 @@ describe("node-saml /", function () {
             },
             audience: false,
             issuer: "onesaml_login",
+            wantAuthnResponseSigned: false,
           };
           const xml =
             '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
@@ -1245,6 +1255,7 @@ describe("node-saml /", function () {
             },
             audience: false,
             issuer: "onesaml_login",
+            wantAuthnResponseSigned: false,
           };
           const xml =
             '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
@@ -1357,7 +1368,11 @@ describe("node-saml /", function () {
             "</Response>";
           const base64xml = Buffer.from(xml).toString("base64");
           const container = { SAMLResponse: base64xml };
-          const samlObj = new SAML({ cert: TEST_CERT, issuer: "onesaml_login" });
+          const samlObj = new SAML({
+            cert: TEST_CERT,
+            issuer: "onesaml_login",
+            wantAuthnResponseSigned: false,
+          });
           await assert.rejects(samlObj.validatePostResponseAsync(container), {
             message: "Invalid signature",
           });
@@ -1820,6 +1835,7 @@ describe("node-saml /", function () {
                 validateInResponseTo,
                 audience: false,
                 issuer: "onesaml_login",
+                wantAuthnResponseSigned: false,
               };
               const samlObj = new SAML(samlConfig);
 
@@ -1939,6 +1955,7 @@ describe("node-saml /", function () {
                 validateInResponseTo,
                 audience: false,
                 issuer: "onesaml_login",
+                wantAuthnResponseSigned: false,
               };
               const samlObj = new SAML(samlConfig);
 
@@ -1999,6 +2016,7 @@ describe("node-saml /", function () {
           validateInResponseTo: ValidateInResponseTo.never,
           audience: false,
           issuer: "onesaml_login",
+          wantAuthnResponseSigned: false,
         };
         const samlObj = new SAML(samlConfig);
 
@@ -2051,6 +2069,7 @@ describe("node-saml /", function () {
         cert: TEST_CERT,
         audience: false,
         issuer: "onesaml_login",
+        wantAuthnResponseSigned: false,
       };
       let fakeClock: sinon.SinonFakeTimers;
 
@@ -2197,6 +2216,7 @@ describe("node-saml /", function () {
           acceptedClockSkewMs: -1,
           audience: false,
           issuer: "onesaml_login",
+          wantAuthnResponseSigned: false,
         };
         const samlObj = new SAML(samlConfig);
 
