sso

node_modules/passport-saml/lib/node-saml/algorithms.d.ts

@@ -0,0 +1,5 @@
+/// <reference types="node" />
+import * as crypto from "crypto";
+export declare function getSigningAlgorithm(shortName?: string): string;
+export declare function getDigestAlgorithm(shortName?: string): string;
+export declare function getSigner(shortName?: string): crypto.Signer;

node_modules/passport-saml/lib/node-saml/algorithms.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSigner = exports.getDigestAlgorithm = exports.getSigningAlgorithm = void 0;
+const crypto = require("crypto");
+function getSigningAlgorithm(shortName) {
+    switch (shortName) {
+        case "sha256":
+            return "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+        case "sha512":
+            return "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
+        case "sha1":
+        default:
+            return "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+    }
+}
+exports.getSigningAlgorithm = getSigningAlgorithm;
+function getDigestAlgorithm(shortName) {
+    switch (shortName) {
+        case "sha256":
+            return "http://www.w3.org/2001/04/xmlenc#sha256";
+        case "sha512":
+            return "http://www.w3.org/2001/04/xmlenc#sha512";
+        case "sha1":
+        default:
+            return "http://www.w3.org/2000/09/xmldsig#sha1";
+    }
+}
+exports.getDigestAlgorithm = getDigestAlgorithm;
+function getSigner(shortName) {
+    switch (shortName) {
+        case "sha256":
+            return crypto.createSign("RSA-SHA256");
+        case "sha512":
+            return crypto.createSign("RSA-SHA512");
+        case "sha1":
+        default:
+            return crypto.createSign("RSA-SHA1");
+    }
+}
+exports.getSigner = getSigner;
+//# sourceMappingURL=algorithms.js.map

node_modules/passport-saml/lib/node-saml/algorithms.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"algorithms.js","sourceRoot":"","sources":["../../src/node-saml/algorithms.ts"],"names":[],"mappings":";;;AAAA,iCAAiC;AAEjC,SAAgB,mBAAmB,CAAC,SAAkB;IACpD,QAAQ,SAAS,EAAE;QACjB,KAAK,QAAQ;YACX,OAAO,mDAAmD,CAAC;QAC7D,KAAK,QAAQ;YACX,OAAO,mDAAmD,CAAC;QAC7D,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,4CAA4C,CAAC;KACvD;AACH,CAAC;AAVD,kDAUC;AAED,SAAgB,kBAAkB,CAAC,SAAkB;IACnD,QAAQ,SAAS,EAAE;QACjB,KAAK,QAAQ;YACX,OAAO,yCAAyC,CAAC;QACnD,KAAK,QAAQ;YACX,OAAO,yCAAyC,CAAC;QACnD,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,wCAAwC,CAAC;KACnD;AACH,CAAC;AAVD,gDAUC;AAED,SAAgB,SAAS,CAAC,SAAkB;IAC1C,QAAQ,SAAS,EAAE;QACjB,KAAK,QAAQ;YACX,OAAO,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QACzC,KAAK,QAAQ;YACX,OAAO,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QACzC,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;KACxC;AACH,CAAC;AAVD,8BAUC","sourcesContent":["import * as crypto from \"crypto\";\n\nexport function getSigningAlgorithm(shortName?: string): string {\n  switch (shortName) {\n    case \"sha256\":\n      return \"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\";\n    case \"sha512\":\n      return \"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512\";\n    case \"sha1\":\n    default:\n      return \"http://www.w3.org/2000/09/xmldsig#rsa-sha1\";\n  }\n}\n\nexport function getDigestAlgorithm(shortName?: string): string {\n  switch (shortName) {\n    case \"sha256\":\n      return \"http://www.w3.org/2001/04/xmlenc#sha256\";\n    case \"sha512\":\n      return \"http://www.w3.org/2001/04/xmlenc#sha512\";\n    case \"sha1\":\n    default:\n      return \"http://www.w3.org/2000/09/xmldsig#sha1\";\n  }\n}\n\nexport function getSigner(shortName?: string): crypto.Signer {\n  switch (shortName) {\n    case \"sha256\":\n      return crypto.createSign(\"RSA-SHA256\");\n    case \"sha512\":\n      return crypto.createSign(\"RSA-SHA512\");\n    case \"sha1\":\n    default:\n      return crypto.createSign(\"RSA-SHA1\");\n  }\n}\n"]}

node_modules/passport-saml/lib/node-saml/index.d.ts

@@ -0,0 +1,3 @@
+import type { CacheItem, CacheProvider } from "./inmemory-cache-provider";
+import { SAML } from "./saml";
+export { SAML, CacheItem, CacheProvider };

node_modules/passport-saml/lib/node-saml/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SAML = void 0;
+const saml_1 = require("./saml");
+Object.defineProperty(exports, "SAML", { enumerable: true, get: function () { return saml_1.SAML; } });
+//# sourceMappingURL=index.js.map

node_modules/passport-saml/lib/node-saml/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/node-saml/index.ts"],"names":[],"mappings":";;;AACA,iCAA8B;AAErB,qFAFA,WAAI,OAEA","sourcesContent":["import type { CacheItem, CacheProvider } from \"./inmemory-cache-provider\";\nimport { SAML } from \"./saml\";\n\nexport { SAML, CacheItem, CacheProvider };\n"]}

node_modules/passport-saml/lib/node-saml/inmemory-cache-provider.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Simple in memory cache provider.  To be used to store state of requests that needs
+ * to be validated/checked when a response is received.
+ *
+ * This is the default implementation of a cache provider used by Passport-SAML.  For
+ * multiple server instances/load balanced scenarios (I.e. the SAML request could have
+ * been generated from a different server/process handling the SAML response) this
+ * implementation will NOT be sufficient.
+ *
+ * The caller should provide their own implementation for a cache provider as defined
+ * in the config options for Passport-SAML.
+ * @param options
+ * @constructor
+ */
+export interface CacheItem {
+    value: string;
+    createdAt: number;
+}
+interface CacheProviderOptions {
+    keyExpirationPeriodMs: number;
+}
+export declare class CacheProvider {
+    cacheKeys: Record<string, CacheItem>;
+    options: CacheProviderOptions;
+    constructor(options: Partial<CacheProviderOptions>);
+    /**
+     * Store an item in the cache, using the specified key and value.
+     * Internally will keep track of the time the item was added to the cache
+     * @param id
+     * @param value
+     */
+    saveAsync(key: string, value: string): Promise<CacheItem | null>;
+    /**
+     * Returns the value of the specified key in the cache
+     * @param id
+     * @returns {boolean}
+     */
+    getAsync(key: string): Promise<string | null>;
+    /**
+     * Removes an item from the cache if it exists
+     * @param key
+     */
+    removeAsync(key: string): Promise<string | null>;
+}
+export {};

node_modules/passport-saml/lib/node-saml/inmemory-cache-provider.js

@@ -0,0 +1,86 @@
+"use strict";
+/**
+ * Simple in memory cache provider.  To be used to store state of requests that needs
+ * to be validated/checked when a response is received.
+ *
+ * This is the default implementation of a cache provider used by Passport-SAML.  For
+ * multiple server instances/load balanced scenarios (I.e. the SAML request could have
+ * been generated from a different server/process handling the SAML response) this
+ * implementation will NOT be sufficient.
+ *
+ * The caller should provide their own implementation for a cache provider as defined
+ * in the config options for Passport-SAML.
+ * @param options
+ * @constructor
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CacheProvider = void 0;
+class CacheProvider {
+    constructor(options) {
+        var _a;
+        this.cacheKeys = {};
+        this.options = {
+            ...options,
+            keyExpirationPeriodMs: (_a = options === null || options === void 0 ? void 0 : options.keyExpirationPeriodMs) !== null && _a !== void 0 ? _a : 28800000,
+        };
+        // Expire old cache keys
+        const expirationTimer = setInterval(() => {
+            const nowMs = new Date().getTime();
+            const keys = Object.keys(this.cacheKeys);
+            keys.forEach((key) => {
+                if (nowMs >=
+                    new Date(this.cacheKeys[key].createdAt).getTime() + this.options.keyExpirationPeriodMs) {
+                    this.removeAsync(key);
+                }
+            });
+        }, this.options.keyExpirationPeriodMs);
+        // we only want this to run if the process is still open; it shouldn't hold the process open (issue #68)
+        expirationTimer.unref();
+    }
+    /**
+     * Store an item in the cache, using the specified key and value.
+     * Internally will keep track of the time the item was added to the cache
+     * @param id
+     * @param value
+     */
+    async saveAsync(key, value) {
+        if (!this.cacheKeys[key]) {
+            this.cacheKeys[key] = {
+                createdAt: new Date().getTime(),
+                value: value,
+            };
+            return this.cacheKeys[key];
+        }
+        else {
+            return null;
+        }
+    }
+    /**
+     * Returns the value of the specified key in the cache
+     * @param id
+     * @returns {boolean}
+     */
+    async getAsync(key) {
+        if (this.cacheKeys[key]) {
+            return this.cacheKeys[key].value;
+        }
+        else {
+            return null;
+        }
+    }
+    /**
+     * Removes an item from the cache if it exists
+     * @param key
+     */
+    async removeAsync(key) {
+        if (this.cacheKeys[key]) {
+            delete this.cacheKeys[key];
+            return key;
+        }
+        else {
+            return null;
+        }
+    }
+}
+exports.CacheProvider = CacheProvider;
+//# sourceMappingURL=inmemory-cache-provider.js.map

node_modules/passport-saml/lib/node-saml/inmemory-cache-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inmemory-cache-provider.js","sourceRoot":"","sources":["../../src/node-saml/inmemory-cache-provider.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAWH,MAAa,aAAa;IAIxB,YAAY,OAAsC;;QAChD,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC;QAEpB,IAAI,CAAC,OAAO,GAAG;YACb,GAAG,OAAO;YACV,qBAAqB,QAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,qBAAqB,mCAAI,QAAQ;SAClE,CAAC;QAEF,wBAAwB;QACxB,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;YACvC,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACzC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;gBACnB,IACE,KAAK;oBACL,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB,EACtF;oBACA,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;iBACvB;YACH,CAAC,CAAC,CAAC;QACL,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QAEvC,wGAAwG;QACxG,eAAe,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAa;QACxC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;YACxB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG;gBACpB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE;gBAC/B,KAAK,EAAE,KAAK;aACb,CAAC;YACF,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;SAC5B;aAAM;YACL,OAAO,IAAI,CAAC;SACb;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;YACvB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;SAClC;aAAM;YACL,OAAO,IAAI,CAAC;SACb;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;YACvB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC3B,OAAO,GAAG,CAAC;SACZ;aAAM;YACL,OAAO,IAAI,CAAC;SACb;IACH,CAAC;CACF;AAzED,sCAyEC","sourcesContent":["/**\n * Simple in memory cache provider.  To be used to store state of requests that needs\n * to be validated/checked when a response is received.\n *\n * This is the default implementation of a cache provider used by Passport-SAML.  For\n * multiple server instances/load balanced scenarios (I.e. the SAML request could have\n * been generated from a different server/process handling the SAML response) this\n * implementation will NOT be sufficient.\n *\n * The caller should provide their own implementation for a cache provider as defined\n * in the config options for Passport-SAML.\n * @param options\n * @constructor\n */\n\nexport interface CacheItem {\n  value: string;\n  createdAt: number;\n}\n\ninterface CacheProviderOptions {\n  keyExpirationPeriodMs: number;\n}\n\nexport class CacheProvider {\n  cacheKeys: Record<string, CacheItem>;\n  options: CacheProviderOptions;\n\n  constructor(options: Partial<CacheProviderOptions>) {\n    this.cacheKeys = {};\n\n    this.options = {\n      ...options,\n      keyExpirationPeriodMs: options?.keyExpirationPeriodMs ?? 28800000, // 8 hours,\n    };\n\n    // Expire old cache keys\n    const expirationTimer = setInterval(() => {\n      const nowMs = new Date().getTime();\n      const keys = Object.keys(this.cacheKeys);\n      keys.forEach((key) => {\n        if (\n          nowMs >=\n          new Date(this.cacheKeys[key].createdAt).getTime() + this.options.keyExpirationPeriodMs\n        ) {\n          this.removeAsync(key);\n        }\n      });\n    }, this.options.keyExpirationPeriodMs);\n\n    // we only want this to run if the process is still open; it shouldn't hold the process open (issue #68)\n    expirationTimer.unref();\n  }\n\n  /**\n   * Store an item in the cache, using the specified key and value.\n   * Internally will keep track of the time the item was added to the cache\n   * @param id\n   * @param value\n   */\n  async saveAsync(key: string, value: string): Promise<CacheItem | null> {\n    if (!this.cacheKeys[key]) {\n      this.cacheKeys[key] = {\n        createdAt: new Date().getTime(),\n        value: value,\n      };\n      return this.cacheKeys[key];\n    } else {\n      return null;\n    }\n  }\n\n  /**\n   * Returns the value of the specified key in the cache\n   * @param id\n   * @returns {boolean}\n   */\n  async getAsync(key: string): Promise<string | null> {\n    if (this.cacheKeys[key]) {\n      return this.cacheKeys[key].value;\n    } else {\n      return null;\n    }\n  }\n\n  /**\n   * Removes an item from the cache if it exists\n   * @param key\n   */\n  async removeAsync(key: string): Promise<string | null> {\n    if (this.cacheKeys[key]) {\n      delete this.cacheKeys[key];\n      return key;\n    } else {\n      return null;\n    }\n  }\n}\n"]}

node_modules/passport-saml/lib/node-saml/saml-post-signing.d.ts

@@ -0,0 +1,3 @@
+import { SamlSigningOptions } from "./types";
+export declare function signSamlPost(samlMessage: string, xpath: string, options: SamlSigningOptions): string;
+export declare function signAuthnRequestPost(authnRequest: string, options: SamlSigningOptions): string;

node_modules/passport-saml/lib/node-saml/saml-post-signing.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signAuthnRequestPost = exports.signSamlPost = void 0;
+const xml_1 = require("./xml");
+const authnRequestXPath = '/*[local-name(.)="AuthnRequest" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
+const issuerXPath = '/*[local-name(.)="Issuer" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:assertion"]';
+function signSamlPost(samlMessage, xpath, options) {
+    return xml_1.signXml(samlMessage, xpath, { reference: xpath + issuerXPath, action: "after" }, options);
+}
+exports.signSamlPost = signSamlPost;
+function signAuthnRequestPost(authnRequest, options) {
+    return signSamlPost(authnRequest, authnRequestXPath, options);
+}
+exports.signAuthnRequestPost = signAuthnRequestPost;
+//# sourceMappingURL=saml-post-signing.js.map

node_modules/passport-saml/lib/node-saml/saml-post-signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"saml-post-signing.js","sourceRoot":"","sources":["../../src/node-saml/saml-post-signing.ts"],"names":[],"mappings":";;;AACA,+BAAgC;AAEhC,MAAM,iBAAiB,GACrB,8FAA8F,CAAC;AACjG,MAAM,WAAW,GACf,yFAAyF,CAAC;AAE5F,SAAgB,YAAY,CAC1B,WAAmB,EACnB,KAAa,EACb,OAA2B;IAE3B,OAAO,aAAO,CAAC,WAAW,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,GAAG,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;AACnG,CAAC;AAND,oCAMC;AAED,SAAgB,oBAAoB,CAAC,YAAoB,EAAE,OAA2B;IACpF,OAAO,YAAY,CAAC,YAAY,EAAE,iBAAiB,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAFD,oDAEC","sourcesContent":["import { SamlSigningOptions } from \"./types\";\nimport { signXml } from \"./xml\";\n\nconst authnRequestXPath =\n  '/*[local-name(.)=\"AuthnRequest\" and namespace-uri(.)=\"urn:oasis:names:tc:SAML:2.0:protocol\"]';\nconst issuerXPath =\n  '/*[local-name(.)=\"Issuer\" and namespace-uri(.)=\"urn:oasis:names:tc:SAML:2.0:assertion\"]';\n\nexport function signSamlPost(\n  samlMessage: string,\n  xpath: string,\n  options: SamlSigningOptions\n): string {\n  return signXml(samlMessage, xpath, { reference: xpath + issuerXPath, action: \"after\" }, options);\n}\n\nexport function signAuthnRequestPost(authnRequest: string, options: SamlSigningOptions): string {\n  return signSamlPost(authnRequest, authnRequestXPath, options);\n}\n"]}

node_modules/passport-saml/lib/node-saml/saml.d.ts

@@ -0,0 +1,58 @@
+/// <reference types="node" />
+import * as querystring from "querystring";
+import { CacheProvider as InMemoryCacheProvider } from "./inmemory-cache-provider";
+import { ParsedQs } from "qs";
+import { SamlOptions } from "./types";
+import { AuthenticateOptions, AuthorizeOptions, Profile, SamlConfig } from "../passport-saml/types";
+interface NameID {
+    value: string | null;
+    format: string | null;
+}
+declare class SAML {
+    options: SamlOptions;
+    cacheProvider: InMemoryCacheProvider;
+    constructor(ctorOptions: SamlConfig);
+    initialize(ctorOptions: SamlConfig): SamlOptions;
+    private getCallbackUrl;
+    _generateUniqueID(): string;
+    private generateInstant;
+    private signRequest;
+    private generateAuthorizeRequestAsync;
+    _generateLogoutRequest(user: Profile): Promise<string>;
+    _generateLogoutResponse(logoutRequest: Profile): string;
+    _requestToUrlAsync(request: string | null | undefined, response: string | null, operation: string, additionalParameters: querystring.ParsedUrlQuery): Promise<string>;
+    _getAdditionalParams(RelayState: string, operation: string, overrideParams?: querystring.ParsedUrlQuery): querystring.ParsedUrlQuery;
+    getAuthorizeUrlAsync(RelayState: string, host: string | undefined, options: AuthorizeOptions): Promise<string>;
+    getAuthorizeFormAsync(RelayState: string, host?: string): Promise<string>;
+    getLogoutUrlAsync(user: Profile, RelayState: string, options: AuthenticateOptions & AuthorizeOptions): Promise<string>;
+    getLogoutResponseUrl(samlLogoutRequest: Profile, RelayState: string, options: AuthenticateOptions & AuthorizeOptions, callback: (err: Error | null, url?: string | null) => void): void;
+    private getLogoutResponseUrlAsync;
+    _certToPEM(cert: string): string;
+    private certsToCheck;
+    validateSignature(fullXml: string, currentNode: Element, certs: string[]): boolean;
+    validatePostResponseAsync(container: Record<string, string>): Promise<{
+        profile?: Profile | null;
+        loggedOut?: boolean;
+    }>;
+    private validateInResponseTo;
+    validateRedirectAsync(container: ParsedQs, originalQuery: string | null): Promise<{
+        profile?: Profile | null;
+        loggedOut?: boolean;
+    }>;
+    private hasValidSignatureForRedirect;
+    private validateSignatureForRedirect;
+    private verifyLogoutRequest;
+    private verifyLogoutResponse;
+    private verifyIssuer;
+    private processValidlySignedAssertionAsync;
+    private checkTimestampsValidityError;
+    private checkAudienceValidityError;
+    validatePostRequestAsync(container: Record<string, string>): Promise<{
+        profile?: Profile;
+        loggedOut?: boolean;
+    }>;
+    _getNameIdAsync(self: SAML, doc: Node): Promise<NameID>;
+    generateServiceProviderMetadata(decryptionCert: string | null, signingCert?: string | null): string;
+    _keyToPEM(key: string | Buffer): typeof key extends string | Buffer ? string | Buffer : Error;
+}
+export { SAML };

node_modules/passport-saml/lib/node-saml/types.d.ts

@@ -0,0 +1,94 @@
+/// <reference types="node" />
+import type { CacheProvider } from "./inmemory-cache-provider";
+export declare type SignatureAlgorithm = "sha1" | "sha256" | "sha512";
+export interface SamlSigningOptions {
+    privateKey: string | Buffer;
+    signatureAlgorithm?: SignatureAlgorithm;
+    xmlSignatureTransforms?: string[];
+    digestAlgorithm?: string;
+}
+export declare const isValidSamlSigningOptions: (options: Partial<SamlSigningOptions>) => options is SamlSigningOptions;
+export interface AudienceRestrictionXML {
+    Audience?: XMLObject[];
+}
+export declare type XMLValue = string | number | boolean | null | XMLObject | XMLValue[];
+export declare type XMLObject = {
+    [key: string]: XMLValue;
+};
+export declare type XMLInput = XMLObject;
+export declare type XMLOutput = Record<string, any>;
+export interface AuthorizeRequestXML {
+    "samlp:AuthnRequest": XMLInput;
+}
+export declare type CertCallback = (callback: (err: Error | null, cert?: string | string[]) => void) => void;
+/**
+ * These are SAML options that must be provided to construct a new SAML Strategy
+ */
+export interface MandatorySamlOptions {
+    cert: string | string[] | CertCallback;
+}
+export interface SamlIDPListConfig {
+    entries: SamlIDPEntryConfig[];
+    getComplete?: string;
+}
+export interface SamlIDPEntryConfig {
+    providerId: string;
+    name?: string;
+    loc?: string;
+}
+export interface LogoutRequestXML {
+    "samlp:LogoutRequest": {
+        "saml:NameID": XMLInput;
+        [key: string]: XMLValue;
+    };
+}
+export interface ServiceMetadataXML {
+    EntityDescriptor: {
+        [key: string]: XMLValue;
+        SPSSODescriptor: XMLObject;
+    };
+}
+export declare type RacComparision = "exact" | "minimum" | "maximum" | "better";
+interface SamlScopingConfig {
+    idpList?: SamlIDPListConfig[];
+    proxyCount?: number;
+    requesterId?: string[] | string;
+}
+/**
+ * The options required to use a SAML strategy
+ * These may be provided by means of defaults specified in the constructor
+ */
+export interface SamlOptions extends SamlSigningOptions, MandatorySamlOptions {
+    callbackUrl?: string;
+    path: string;
+    protocol?: string;
+    host: string;
+    entryPoint?: string;
+    issuer: string;
+    decryptionPvk?: string | Buffer;
+    additionalParams: Record<string, string>;
+    additionalAuthorizeParams: Record<string, string>;
+    identifierFormat?: string | null;
+    acceptedClockSkewMs: number;
+    attributeConsumingServiceIndex?: string;
+    disableRequestedAuthnContext: boolean;
+    authnContext: string[];
+    forceAuthn: boolean;
+    skipRequestCompression: boolean;
+    authnRequestBinding?: string;
+    racComparison: RacComparision;
+    providerName?: string;
+    passive: boolean;
+    idpIssuer?: string;
+    audience?: string;
+    scoping?: SamlScopingConfig;
+    wantAssertionsSigned?: boolean;
+    validateInResponseTo: boolean;
+    requestIdExpirationPeriodMs: number;
+    cacheProvider: CacheProvider;
+    logoutUrl: string;
+    additionalLogoutParams: Record<string, string>;
+    logoutCallbackUrl?: string;
+    disableRequestAcsUrl: boolean;
+}
+export {};

node_modules/passport-saml/lib/node-saml/types.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isValidSamlSigningOptions = void 0;
+const isValidSamlSigningOptions = (options) => {
+    return options.privateKey != null;
+};
+exports.isValidSamlSigningOptions = isValidSamlSigningOptions;
+//# sourceMappingURL=types.js.map

node_modules/passport-saml/lib/node-saml/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/node-saml/types.ts"],"names":[],"mappings":";;;AAWO,MAAM,yBAAyB,GAAG,CACvC,OAAoC,EACL,EAAE;IACjC,OAAO,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC;AACpC,CAAC,CAAC;AAJW,QAAA,yBAAyB,6BAIpC","sourcesContent":["import type { CacheProvider } from \"./inmemory-cache-provider\";\n\nexport type SignatureAlgorithm = \"sha1\" | \"sha256\" | \"sha512\";\n\nexport interface SamlSigningOptions {\n  privateKey: string | Buffer;\n  signatureAlgorithm?: SignatureAlgorithm;\n  xmlSignatureTransforms?: string[];\n  digestAlgorithm?: string;\n}\n\nexport const isValidSamlSigningOptions = (\n  options: Partial<SamlSigningOptions>\n): options is SamlSigningOptions => {\n  return options.privateKey != null;\n};\n\nexport interface AudienceRestrictionXML {\n  Audience?: XMLObject[];\n}\n\nexport type XMLValue = string | number | boolean | null | XMLObject | XMLValue[];\n\nexport type XMLObject = {\n  [key: string]: XMLValue;\n};\n\nexport type XMLInput = XMLObject;\n\nexport type XMLOutput = Record<string, any>;\n\nexport interface AuthorizeRequestXML {\n  \"samlp:AuthnRequest\": XMLInput;\n}\n\nexport type CertCallback = (\n  callback: (err: Error | null, cert?: string | string[]) => void\n) => void;\n\n/**\n * These are SAML options that must be provided to construct a new SAML Strategy\n */\nexport interface MandatorySamlOptions {\n  cert: string | string[] | CertCallback;\n}\n\nexport interface SamlIDPListConfig {\n  entries: SamlIDPEntryConfig[];\n  getComplete?: string;\n}\n\nexport interface SamlIDPEntryConfig {\n  providerId: string;\n  name?: string;\n  loc?: string;\n}\n\nexport interface LogoutRequestXML {\n  \"samlp:LogoutRequest\": {\n    \"saml:NameID\": XMLInput;\n    [key: string]: XMLValue;\n  };\n}\n\nexport interface ServiceMetadataXML {\n  EntityDescriptor: {\n    [key: string]: XMLValue;\n    SPSSODescriptor: XMLObject;\n  };\n}\n\nexport type RacComparision = \"exact\" | \"minimum\" | \"maximum\" | \"better\";\n\ninterface SamlScopingConfig {\n  idpList?: SamlIDPListConfig[];\n  proxyCount?: number;\n  requesterId?: string[] | string;\n}\n\n/**\n * The options required to use a SAML strategy\n * These may be provided by means of defaults specified in the constructor\n */\nexport interface SamlOptions extends SamlSigningOptions, MandatorySamlOptions {\n  // Core\n  callbackUrl?: string;\n  path: string;\n  protocol?: string;\n  host: string;\n  entryPoint?: string;\n  issuer: string;\n  decryptionPvk?: string | Buffer;\n\n  // Additional SAML behaviors\n  additionalParams: Record<string, string>;\n  additionalAuthorizeParams: Record<string, string>;\n  identifierFormat?: string | null;\n  acceptedClockSkewMs: number;\n  attributeConsumingServiceIndex?: string;\n  disableRequestedAuthnContext: boolean;\n  authnContext: string[];\n  forceAuthn: boolean;\n  skipRequestCompression: boolean;\n  authnRequestBinding?: string;\n  racComparison: RacComparision;\n  providerName?: string;\n  passive: boolean;\n  idpIssuer?: string;\n  audience?: string;\n  scoping?: SamlScopingConfig;\n  wantAssertionsSigned?: boolean;\n\n  // InResponseTo Validation\n  validateInResponseTo: boolean;\n  requestIdExpirationPeriodMs: number;\n  cacheProvider: CacheProvider;\n\n  // Logout\n  logoutUrl: string;\n  additionalLogoutParams: Record<string, string>;\n  logoutCallbackUrl?: string;\n\n  // extras\n  disableRequestAcsUrl: boolean;\n}\n"]}

node_modules/passport-saml/lib/node-saml/utility.d.ts

@@ -0,0 +1,3 @@
+import { SamlSigningOptions } from "./types";
+export declare function assertRequired<T>(value: T | null | undefined, error?: string): T;
+export declare function signXmlResponse(samlMessage: string, options: SamlSigningOptions): string;

node_modules/passport-saml/lib/node-saml/utility.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signXmlResponse = exports.assertRequired = void 0;
+const xml_1 = require("./xml");
+function assertRequired(value, error) {
+    if (value === undefined || value === null || (typeof value === "string" && value.length === 0)) {
+        throw new TypeError(error !== null && error !== void 0 ? error : "value does not exist");
+    }
+    else {
+        return value;
+    }
+}
+exports.assertRequired = assertRequired;
+function signXmlResponse(samlMessage, options) {
+    const responseXpath = '//*[local-name(.)="Response" and namespace-uri(.)="urn:oasis:names:tc:SAML:2.0:protocol"]';
+    return xml_1.signXml(samlMessage, responseXpath, { reference: responseXpath, action: "append" }, options);
+}
+exports.signXmlResponse = signXmlResponse;
+//# sourceMappingURL=utility.js.map

node_modules/passport-saml/lib/node-saml/utility.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utility.js","sourceRoot":"","sources":["../../src/node-saml/utility.ts"],"names":[],"mappings":";;;AACA,+BAAgC;AAEhC,SAAgB,cAAc,CAAI,KAA2B,EAAE,KAAc;IAC3E,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE;QAC9F,MAAM,IAAI,SAAS,CAAC,KAAK,aAAL,KAAK,cAAL,KAAK,GAAI,sBAAsB,CAAC,CAAC;KACtD;SAAM;QACL,OAAO,KAAK,CAAC;KACd;AACH,CAAC;AAND,wCAMC;AAED,SAAgB,eAAe,CAAC,WAAmB,EAAE,OAA2B;IAC9E,MAAM,aAAa,GACjB,2FAA2F,CAAC;IAE9F,OAAO,aAAO,CACZ,WAAW,EACX,aAAa,EACb,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,EAC9C,OAAO,CACR,CAAC;AACJ,CAAC;AAVD,0CAUC","sourcesContent":["import { SamlSigningOptions } from \"./types\";\nimport { signXml } from \"./xml\";\n\nexport function assertRequired<T>(value: T | null | undefined, error?: string): T {\n  if (value === undefined || value === null || (typeof value === \"string\" && value.length === 0)) {\n    throw new TypeError(error ?? \"value does not exist\");\n  } else {\n    return value;\n  }\n}\n\nexport function signXmlResponse(samlMessage: string, options: SamlSigningOptions): string {\n  const responseXpath =\n    '//*[local-name(.)=\"Response\" and namespace-uri(.)=\"urn:oasis:names:tc:SAML:2.0:protocol\"]';\n\n  return signXml(\n    samlMessage,\n    responseXpath,\n    { reference: responseXpath, action: \"append\" },\n    options\n  );\n}\n"]}

node_modules/passport-saml/lib/node-saml/xml.d.ts

@@ -0,0 +1,21 @@
+/// <reference types="node" />
+import { SamlSigningOptions } from "./types";
+export declare const xpath: {
+    selectAttributes: (node: Node, xpath: string) => Attr[];
+    selectElements: (node: Node, xpath: string) => Element[];
+};
+export declare const decryptXml: (xml: string, decryptionKey: string | Buffer) => Promise<string>;
+/**
+ * This function checks that the |signature| is signed with a given |cert|.
+ */
+export declare const validateXmlSignatureForCert: (signature: Node, certPem: string, fullXml: string, currentNode: Element) => boolean;
+interface XmlSignatureLocation {
+    reference: string;
+    action: "append" | "prepend" | "before" | "after";
+}
+export declare const signXml: (xml: string, xpath: string, location: XmlSignatureLocation, options: SamlSigningOptions) => string;
+export declare const parseDomFromString: (xml: string) => Document;
+export declare const parseXml2JsFromString: (xml: string | Buffer) => Promise<any>;
+export declare const buildXml2JsObject: (rootName: string, xml: any) => string;
+export declare const buildXmlBuilderObject: (xml: Record<string, any>, pretty: boolean) => string;
+export {};

node_modules/passport-saml/lib/node-saml/xml.js

@@ -0,0 +1,140 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildXmlBuilderObject = exports.buildXml2JsObject = exports.parseXml2JsFromString = exports.parseDomFromString = exports.signXml = exports.validateXmlSignatureForCert = exports.decryptXml = exports.xpath = void 0;
+const util = require("util");
+const xmlCrypto = require("xml-crypto");
+const xmlenc = require("xml-encryption");
+const xmldom = require("xmldom");
+const xml2js = require("xml2js");
+const xmlbuilder = require("xmlbuilder");
+const types_1 = require("./types");
+const algorithms = require("./algorithms");
+const selectXPath = (guard, node, xpath) => {
+    const result = xmlCrypto.xpath(node, xpath);
+    if (!guard(result)) {
+        throw new Error("invalid xpath return type");
+    }
+    return result;
+};
+const attributesXPathTypeGuard = (values) => {
+    return values.every((value) => {
+        if (typeof value != "object") {
+            return false;
+        }
+        return typeof value.nodeType === "number" && value.nodeType === value.ATTRIBUTE_NODE;
+    });
+};
+const elementsXPathTypeGuard = (values) => {
+    return values.every((value) => {
+        if (typeof value != "object") {
+            return false;
+        }
+        return typeof value.nodeType === "number" && value.nodeType === value.ELEMENT_NODE;
+    });
+};
+exports.xpath = {
+    selectAttributes: (node, xpath) => selectXPath(attributesXPathTypeGuard, node, xpath),
+    selectElements: (node, xpath) => selectXPath(elementsXPathTypeGuard, node, xpath),
+};
+const decryptXml = async (xml, decryptionKey) => util.promisify(xmlenc.decrypt).bind(xmlenc)(xml, { key: decryptionKey });
+exports.decryptXml = decryptXml;
+const normalizeNewlines = (xml) => {
+    // we can use this utility before passing XML to `xml-crypto`
+    // we are considered the XML processor and are responsible for newline normalization
+    // https://github.com/node-saml/passport-saml/issues/431#issuecomment-718132752
+    return xml.replace(/\r\n?/g, "\n");
+};
+const normalizeXml = (xml) => {
+    // we can use this utility to parse and re-stringify XML
+    // `DOMParser` will take care of normalization tasks, like replacing XML-encoded carriage returns with actual carriage returns
+    return exports.parseDomFromString(xml).toString();
+};
+/**
+ * This function checks that the |signature| is signed with a given |cert|.
+ */
+const validateXmlSignatureForCert = (signature, certPem, fullXml, currentNode) => {
+    const sig = new xmlCrypto.SignedXml();
+    sig.keyInfoProvider = {
+        file: "",
+        getKeyInfo: () => "<X509Data></X509Data>",
+        getKey: () => Buffer.from(certPem),
+    };
+    const signatureStr = normalizeNewlines(signature.toString());
+    sig.loadSignature(signatureStr);
+    // We expect each signature to contain exactly one reference to the top level of the xml we
+    //   are validating, so if we see anything else, reject.
+    if (sig.references.length != 1)
+        return false;
+    const refUri = sig.references[0].uri;
+    const refId = refUri[0] === "#" ? refUri.substring(1) : refUri;
+    // If we can't find the reference at the top level, reject
+    const idAttribute = currentNode.getAttribute("ID") ? "ID" : "Id";
+    if (currentNode.getAttribute(idAttribute) != refId)
+        return false;
+    // If we find any extra referenced nodes, reject.  (xml-crypto only verifies one digest, so
+    //   multiple candidate references is bad news)
+    const totalReferencedNodes = exports.xpath.selectElements(currentNode.ownerDocument, "//*[@" + idAttribute + "='" + refId + "']");
+    if (totalReferencedNodes.length > 1) {
+        return false;
+    }
+    // normalize XML to replace XML-encoded carriage returns with actual carriage returns
+    fullXml = normalizeXml(fullXml);
+    fullXml = normalizeNewlines(fullXml);
+    return sig.checkSignature(fullXml);
+};
+exports.validateXmlSignatureForCert = validateXmlSignatureForCert;
+const signXml = (xml, xpath, location, options) => {
+    var _a;
+    const defaultTransforms = [
+        "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+        "http://www.w3.org/2001/10/xml-exc-c14n#",
+    ];
+    if (!xml)
+        throw new Error("samlMessage is required");
+    if (!location)
+        throw new Error("location is required");
+    if (!options)
+        throw new Error("options is required");
+    if (!types_1.isValidSamlSigningOptions(options))
+        throw new Error("options.privateKey is required");
+    const transforms = (_a = options.xmlSignatureTransforms) !== null && _a !== void 0 ? _a : defaultTransforms;
+    const sig = new xmlCrypto.SignedXml();
+    if (options.signatureAlgorithm != null) {
+        sig.signatureAlgorithm = algorithms.getSigningAlgorithm(options.signatureAlgorithm);
+    }
+    sig.addReference(xpath, transforms, algorithms.getDigestAlgorithm(options.digestAlgorithm));
+    sig.signingKey = options.privateKey;
+    sig.computeSignature(xml, {
+        location,
+    });
+    return sig.getSignedXml();
+};
+exports.signXml = signXml;
+const parseDomFromString = (xml) => {
+    return new xmldom.DOMParser().parseFromString(xml);
+};
+exports.parseDomFromString = parseDomFromString;
+const parseXml2JsFromString = async (xml) => {
+    const parserConfig = {
+        explicitRoot: true,
+        explicitCharkey: true,
+        tagNameProcessors: [xml2js.processors.stripPrefix],
+    };
+    const parser = new xml2js.Parser(parserConfig);
+    return parser.parseStringPromise(xml);
+};
+exports.parseXml2JsFromString = parseXml2JsFromString;
+const buildXml2JsObject = (rootName, xml) => {
+    const builderOpts = {
+        rootName,
+        headless: true,
+    };
+    return new xml2js.Builder(builderOpts).buildObject(xml);
+};
+exports.buildXml2JsObject = buildXml2JsObject;
+const buildXmlBuilderObject = (xml, pretty) => {
+    const options = pretty ? { pretty: true, indent: "  ", newline: "\n" } : {};
+    return xmlbuilder.create(xml).end(options);
+};
+exports.buildXmlBuilderObject = buildXmlBuilderObject;
+//# sourceMappingURL=xml.js.map