var fs = require('fs'), url = require('url'), zlib = require('zlib'), querystring = require('querystring'), Promise = require('bluebird'), log4js = require('log4js'), // the logger express = require('express'), xmlCrypto = require('xml-crypto'), xmldom = require('xmldom'), xmlbuilder = require('xmlbuilder'), crypto = require('crypto'), bodyParser = require('body-parser'), http_app = express(), http_server = require('http').createServer(http_app); http_app.use(bodyParser.urlencoded({extended: true})); http_app.use(bodyParser.json()); http_server.listen(8085, 'localhost'); // ================================================================================ // The logger // ================================================================================ log4js.loadAppender('file'); log4js.addAppender(log4js.appenders.file(process.env.CODEQ_SAML_LOG || 'codeq-saml.log'), 'log'); var logger = log4js.getLogger('log'); var logException = function (msg, error) { if ((error instanceof Error) && (typeof error.stack === 'string')) msg += '\n' + error.stack; logger.error(msg); }; // prevent the node from exiting because of an unhandled exception Promise.onPossiblyUnhandledRejection(function (error) { logException('Unhandled promise rejection: ' + error, error); }); process.on('uncaughtException', function (error) { logException('Uncaught exception: ' + error, error); }); // ================================================================================ // Misc // ================================================================================ var assertionConsumerServiceURL = 'https://codeq.si/Shibboleth.sso/SAML2/POST', SPIssuer = 'https://codeq.si/sp/201509281041', privateCert = fs.readFileSync('/etc/shibboleth/sp-key.pem', 'utf8'), SamlStatusSuccess = 'urn:oasis:names:tc:SAML:2.0:status:Success'; // IdP: idp.aai.arnes.si var SSOServiceURL = 'https://idp.aai.arnes.si/simplesaml/saml2/idp/SSOService.php', SLOServiceURL = 'https://idp.aai.arnes.si/simplesaml/saml2/idp/SingleLogoutService.php', IdPIssuer = 'https://idp.aai.arnes.si/idp/20090116', IdPKeyInfoProvider = new xmlCrypto.FileKeyInfo('/etc/shibboleth/idp.crt'); /* // IdP: idp.uni-lj.si var SSOServiceURL = 'https://idp.uni-lj.si/simplesaml/saml2/idp/SSOService.php', SLOServiceURL = 'https://idp.uni-lj.si/simplesaml/saml2/idp/SingleLogoutService.php', IdPIssuer = 'https://idp.uni-lj.si/idp/20100525', IdPKeyInfoProvider = new xmlCrypto.FileKeyInfo('/etc/shibboleth/idp.uni-lj.si.crt'); */ var idChars = '0123456789abcdef', makeRequestId = function () { var idParts = [], i; for (i = 0; i < 20; i++) idParts.push(idChars[Math.floor(Math.random() * 15)]); return idParts.join(''); }; var waitingLogins = {}, // maps sid to waiter waitingLogouts = {}, parkedLoginRequests = {}, // maps SAML request ID to waiter parkedLogoutRequests = {}; var makeSamlRedirectUrl = function (serviceUrl, queryKey, queryObj, additionalData, callback) { var xml = xmlbuilder.create(queryObj).end(); logger.debug('Redirecting with ' + queryKey + ' to ' + serviceUrl + ':\n' + xml); zlib.deflateRaw(xml, function (err, buffer) { var svcUrl, signer, query, keys, i, key; if (err) { callback(err, null); return; } query = { 'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' }; query[queryKey] = buffer.toString('base64'); if (additionalData && (typeof additionalData === 'object')) { keys = Object.keys(additionalData); for (i = keys.length - 1; i >= 0; i--) { key = keys[i]; query[key] = additionalData[key]; } } signer = crypto.createSign('RSA-SHA1'); signer.update(querystring.stringify(query)); query.Signature = signer.sign(privateCert, 'base64'); svcUrl = url.parse(serviceUrl); svcUrl.query = query; delete svcUrl.search; callback(null, url.format(svcUrl)); }); }; var makeWaiter = function (sid) { var waiter = { 'sid': sid, 'created': Date.now(), 'listeners': 0 }; waiter.promise = new Promise(function (resolve, reject) { waiter.resolve = resolve; waiter.reject = reject; }); return waiter; }; var makeDoubleWaiter = function (sid) { var waiter = makeWaiter(sid); waiter.responsePromise = new Promise(function (resolve, reject) { waiter.responseResolve = resolve; waiter.responseReject = reject; }); return waiter; }; // ================================================================================ // XML DOM data extraction functions for SAML data // ================================================================================ var validateXmlSignature = function (xml, signatureNode) { var sig = new xmlCrypto.SignedXml(); sig.keyInfoProvider = IdPKeyInfoProvider; sig.loadSignature(signatureNode.toString()); return sig.checkSignature(xml); }; var xmlStatusOk = function (statusNode) { var node = statusNode.firstChild, attributes, i; while (node) { if (node.localName === 'StatusCode') { attributes = node.attributes; for (i = attributes.length - 1; i >= 0; i--) { if (attributes[i].localName === 'Value') return attributes[i].value == SamlStatusSuccess; } } node = node.nextSibling; } return null; }; var parseAttributeValue = function (attributeNode) { var node = attributeNode.firstChild; while (node) { if (node.localName === 'AttributeValue') { return node.firstChild.data; } node = node.nextSibling; } return null; }; var parseAttributes = function (attributeStatementNode) { var node = attributeStatementNode.firstChild, result = {}, attributes, i, name; while (node) { if (node.localName === 'Attribute') { attributes = node.attributes; for (i = attributes.length - 1; i >= 0; i--) { if (attributes[i].localName === 'Name') { name = attributes[i].value; break; } } if (i < 0) { logger.error('ERROR: an attribute without a name'); } else { result[name] = parseAttributeValue(node); } } node = node.nextSibling; } return result; }; // return the NameID in the format for use with xmlbuilder var parseNameID = function (NameIDNode) { var result = {}, i, attributes; result['#text'] = NameIDNode.firstChild.data; attributes = NameIDNode.attributes; for (i = attributes.length - 1; i >= 0; i--) { switch (attributes[i].localName) { case 'NameQualifier': // NameID namespace result['@NameQualifier'] = attributes[i].value; break; case 'SPNameQualifier': // 2nd level NameID namespace result['@SPNameQualifier'] = attributes[i].value; break; case 'Format': result['@Format'] = attributes[i].value; break; case 'SPProvidedID': result['@SPProvidedID'] = attributes[i].value; break; } } return result; }; var parseSubject = function (subjectNode) { var node = subjectNode.firstChild, result = {}; while (node) { if (node.localName === 'NameID') { result['NameID'] = parseNameID(node); } node = node.nextSibling; } return result; }; var parseAssertion = function (xml, assertionNode) { var node = assertionNode.firstChild, result = {}, attributes, i; while (node) { switch (node.localName) { case 'Signature': result.signatureOk = validateXmlSignature(xml, node); break; case 'Subject': // extract presenter identifier result.subject = parseSubject(node); break; case 'AuthnStatement': // extract the session index attributes = node.attributes; for (i = attributes.length - 1; i >= 0; i--) { if (attributes[i].localName === 'SessionIndex') { result.SessionIndex = attributes[i].value; break; } } break; case 'AttributeStatement': result.attributes = parseAttributes(node); break; } node = node.nextSibling; } return result; }; // ================================================================================ // SAML logout handlers // ================================================================================ // process response to our (global) logout request var handleLogoutResponse = function (xml, form, res) { var errors = [], issuer = null, status = null, waiter = null, doc, rootNode, attributes, i, inResponseTo, node; doc = new xmldom.DOMParser().parseFromString(xml); rootNode = doc.documentElement; if (rootNode.localName != 'LogoutResponse') { errors.push('not a LogoutResponse: ' + rootNode.localName); } else { attributes = rootNode.attributes; for (i = attributes.length - 1; i >= 0; i--) { if (attributes[i].localName === 'InResponseTo') { inResponseTo = attributes[i].value; break; } } if (!inResponseTo) errors.push('request ID that this message is a response to is missing'); else { waiter = parkedLogoutRequests[inResponseTo]; if (!waiter) errors.push('there is no session waiting on request ID ' + inResponseTo); else { waiter.done = Date.now(); delete parkedLogoutRequests[inResponseTo]; } } node = rootNode.firstChild; while (node) { switch (node.localName) { case 'Issuer': issuer = node.firstChild.data; break; case 'Status': status = xmlStatusOk(node); break; default: // errors.push('Unknown/unsupported top XML node: ' + node.localName + ', prefix: ' + node.prefix); break; } node = node.nextSibling; } if (issuer === null) errors.push('Issuer is not set'); else if (issuer !== IdPIssuer) errors.push('Invalid IdP issuer: ' + issuer); if (status === null) errors.push('response status is not set'); else if (!status) errors.push('response status is not OK'); } res.set('Content-Type', 'text/plain'); if (errors.length > 0) { if (errors.length > 1) res.send('Multiple errors:\n ' + errors.join('\n ')); else res.send('Error: ' + errors[0]); if (waiter) waiter.responseReject(new Error(errors.join(', '))); } else { res.send('OK'); if (waiter) waiter.responseResolve(); } }; // a third party initiated the (global) logout, process the request and redirect with a response var handleLogoutRequest = function (xml, form, res) { var errors = [], nameId = null, sessionIndex = null, doc, rootNode, attributes, i, requestId, node, responseObj, responseId; doc = new xmldom.DOMParser().parseFromString(xml); rootNode = doc.documentElement; if (rootNode.localName != 'LogoutRequest') { errors.push('not a LogoutRequest: ' + rootNode.localName); } else { attributes = rootNode.attributes; for (i = attributes.length - 1; i >= 0; i--) { if (attributes[i].localName === 'ID') { requestId = attributes[i].value; break; } } if (!requestId) errors.push('request ID is missing'); node = rootNode.firstChild; while (node) { switch (node.localName) { case 'Issuer': if (node.firstChild.data !== IdPIssuer) errors.push('ERROR: invalid IdP issuer: ' + node.firstChild.data); break; case 'NameID': nameId = parseNameID(node); break; case 'SessionIndex': sessionIndex = node.firstChild && node.firstChild.data; break; } node = node.nextSibling; } if (!nameId) errors.push('NameID not present'); else { if (!nameId['#text']) errors.push('NameID is empty'); } } if (errors.length > 0) { res.set('Content-Type', 'text/plain'); res.send(errors.join('\n')); } else { responseId = makeRequestId(); responseObj = { 'samlp:LogoutResponse': { '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion', '@Version': '2.0', '@Destination': SLOServiceURL, '@ID': responseId, '@IssueInstant': new Date().toISOString(), '@InResponseTo': requestId, 'saml:Issuer' : { '#text': SPIssuer }, 'samlp:Status': { 'samlp:StatusCode': { '@Value': 'urn:oasis:names:tc:SAML:2.0:status:Success' } } } }; makeSamlRedirectUrl(SLOServiceURL, 'SAMLRequest', responseObj, form.RelayState ? {RelayState: form.RelayState} : null, function (err, svcUrl) { if (err) { logException('Error while assembling the Logout SAML response: ' + err, err); res.send('Failed: ' + err); return; } res.redirect(svcUrl); // redirect to the IdP }); } }; // ================================================================================ // SAML web request handlers // ================================================================================ // redirect to login on Arnes AAI, https://codeq.si/Shibboleth.sso/Login http_app.get('/Shibboleth.sso/Login', function (req, res) { var sid = req.query.sid, waiter, requestId, request; try { if (!sid) { res.send('SID not set'); return; } waiter = waitingLogins[sid]; if (!waiter) waitingLogins[sid] = waiter = makeWaiter(sid); requestId = makeRequestId(); request = { 'samlp:AuthnRequest': { '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion', '@Version': '2.0', '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', '@AssertionConsumerServiceURL': assertionConsumerServiceURL, '@Destination': SSOServiceURL, '@ID': requestId, '@IssueInstant': new Date().toISOString(), 'saml:Issuer': { '#text': SPIssuer } } }; makeSamlRedirectUrl(SSOServiceURL, 'SAMLRequest', request, null, function (err, svcUrl) { if (err) { logException('Error while assembling the Login SAML request: ' + err, err); waiter.done = Date.now(); waiter.reject(err instanceof Error ? err : new Error(err)); res.send('Failed: ' + err); return; } res.redirect(svcUrl); // redirect to the IdP parkedLoginRequests[requestId] = waiter; waiter.parked = Date.now(); waiter.requestId = requestId; }); } catch (e) { logException('Exception while processing login request: ' + e, e); res.send('Error: ' + e); if (waiter) { waiter.done = Date.now(); waiter.reject(e); } } }); // redirect to logout on Arnes AAI, https://codeq.si/Shibboleth.sso/Logout http_app.get('/Shibboleth.sso/Logout', function (req, res) { var sid = req.query.sid, waiter, requestId, request; if (!sid) { res.send('SID not set'); return; } waiter = waitingLogouts[sid]; if (!waiter) waitingLogouts[sid] = waiter = makeDoubleWaiter(sid); waiter.promise .then(function (samlData) { requestId = makeRequestId(); request = { 'samlp:LogoutRequest': { '@xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', '@xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion', '@Version': '2.0', '@Destination': SLOServiceURL, '@ID': requestId, '@IssueInstant': new Date().toISOString(), 'saml:Issuer' : { '#text': SPIssuer }, 'saml:NameID': samlData.NameID } }; if (samlData.SessionIndex) request['samlp:LogoutRequest']['samlp:SessionIndex'] = {'#text': samlData.SessionIndex}; makeSamlRedirectUrl(SLOServiceURL, 'SAMLRequest', request, null, function (err, svcUrl) { if (err) { logException('Error while assembling the Logout SAML request: ' + err, err); waiter.done = Date.now(); waiter.responseReject(err instanceof Error ? err : new Error(err)); res.send('Failed: ' + err); return; } res.redirect(svcUrl); // redirect to the IdP parkedLogoutRequests[requestId] = waiter; waiter.parked = Date.now(); waiter.requestId = requestId; }); }) .catch(function (e) { logException('Exception while processing login request: ' + e, e); res.send('Error: ' + e); if (waiter) { waiter.done = Date.now(); waiter.responseReject(e); } }) .done(); }); // user logged in, read the credentials http_app.post('/Shibboleth.sso/SAML2/POST', function (req, res) { var form = req.body, keys = [], errors = [], inResponseTo = null, issuer = null, signature = null, status = null, assertion = null, waiter = null, attributes, i, key, value, xml, doc, rootNode, node, NameID, Format, SPNameQualifier, SessionIndex, samlData, userData; value = form.SAMLResponse; if (!value) { errors.push('no SAMLResponse'); } else { xml = new Buffer(value, 'base64').toString('utf8'); doc = new xmldom.DOMParser().parseFromString(xml); rootNode = doc.documentElement; if (rootNode.localName != 'Response') { errors.push('the root XML node is not a Response: ' + rootNode.localName); } else { attributes = rootNode.attributes; for (i = attributes.length - 1; i >= 0; i--) { if (attributes[i].localName === 'InResponseTo') { inResponseTo = attributes[i].value; break; } } if (!inResponseTo) errors.push('request ID that this message is a response to is missing'); else { waiter = parkedLoginRequests[inResponseTo]; if (!waiter) errors.push('there is no session waiting on request ID ' + inResponseTo); else { waiter.done = Date.now(); delete parkedLoginRequests[inResponseTo]; } node = rootNode.firstChild; while (node) { switch (node.localName) { case 'Issuer': issuer = node.firstChild.data; break; case 'Signature': signature = validateXmlSignature(xml, node); break; case 'Status': status = xmlStatusOk(node); break; case 'Assertion': assertion = parseAssertion(xml, node); break; default: // errors.push('Unknown/unsupported top XML node: ' + node.localName + ', prefix: ' + node.prefix + '
\n'); break; } node = node.nextSibling; } if (issuer === null) errors.push('Issuer is not set'); else if (issuer !== IdPIssuer) errors.push('Invalid IdP issuer: ' + issuer); if (signature === null) errors.push('the response is not signed'); else if (!signature) errors.push('IdP signature is invalid'); if (status === null) errors.push('status is not set'); else if (!status) errors.push('response status is not OK'); if (!assertion) errors.push('no assertions supplied, no attributes present'); else { if ((typeof assertion.signatureOk !== 'undefined') && (!assertion.signatureOk)) errors.push('assertion signature is invalid'); samlData = {}; node = assertion.subject; if (!node) errors.push('assertion subject is not set'); else { node = node.NameID; if (!node) errors.push('assertion subject\'s NameID is not set'); else { if (!node['#text']) errors.push('assertion subject\'s NameID is empty'); samlData['NameID'] = node; } } if (assertion.SessionIndex) samlData['SessionIndex'] = assertion.SessionIndex; node = assertion.attributes; if (!node) errors.push('no attributes supplied'); else { userData = {}; samlData.userData = userData; keys = Object.keys(node); for (i = keys.length - 1; i >= 0; i--) { key = keys[i]; userData[key] = node[key]; } } } } } } res.set('Content-Type', 'text/plain'); if (errors.length > 0) { if (errors.length > 1) res.send('Multiple errors:\n ' + errors.join('\n ')); else res.send('Error: ' + errors[0]); if (waiter) waiter.reject(new Error(errors.join(', '))); } else { res.send('OK'); if (waiter) waiter.resolve(samlData); } }); // user logged out, the GET service http_app.get('/Shibboleth.sso/SLO/Redirect', function (req, res) { var form = req.query, delegateToHandler = function (err, buffer, handler) { if (err) { logException('Error while deflating request: ' + err, err); res.send('Failed: ' + err); return; } handler(buffer.toString('utf8'), form, res); }; if (form.SAMLRequest) zlib.inflateRaw(new Buffer(form.SAMLRequest, 'base64'), function (err, buffer) {delegateToHandler(err, buffer, handleLogoutRequest);}); else if (form.SAMLResponse) zlib.inflateRaw(new Buffer(form.SAMLResponse, 'base64'), function (err, buffer) {delegateToHandler(err, buffer, handleLogoutResponse);}); else res.send('Invalid SAML logout request.'); }); // ================================================================================ // Web API handlers // ================================================================================ http_app.get('/Shibboleth.sso/WaitLogin', function (req, res) { var sid = req.query.sid, waiter; if (!sid) { res.json({'code': -1, 'message': 'sid query parameter not set'}); return; } waiter = waitingLogins[sid]; if (!waiter) waitingLogins[sid] = waiter = makeWaiter(sid); waiter.listeners = waiter.listeners + 1; waiter.promise.then(function (jsonResponse) { delete waitingLogins[sid]; res.json({'code': 0, 'message': 'OK', 'data': jsonResponse}); }, function (err) { delete waitingLogins[sid]; res.json({'code': 1, 'message': '' + err}); }).done(); }); http_app.get('/Shibboleth.sso/WaitLogout', function (req, res) { var sid = req.query.sid, saml = req.query.saml, waiter, samlData; if (!sid) { res.json({'code': -1, 'message': 'sid query parameter not set'}); return; } if (!saml) { res.json({'code': -2, 'message': 'saml query parameter not set'}); return; } try { samlData = JSON.parse(saml); } catch (e) { res.json({'code': -3, 'message': 'saml query parameter is not proper JSON: ' + e}); return; } waiter = waitingLogouts[sid]; if (!waiter) waitingLogouts[sid] = waiter = makeDoubleWaiter(sid); waiter.listeners = waiter.listeners + 1; waiter.resolve(samlData); waiter.responsePromise.then(function () { delete waitingLogouts[sid]; res.json({'code': 0, 'message': 'OK'}); }, function (err) { delete waitingLogouts[sid]; res.json({'code': 1, 'message': '' + err}); }).done(); });