Fixes node-saml not checking all Audiences in an `AudienceRestric…

…tion` (#340)
node-saml · Dec 28, 2023 · cb13ea6 · cb13ea6
1 parent e691ccf
commit cb13ea6
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/src/saml.ts b/src/saml.ts
@@ -1226,12 +1226,12 @@ class SAML {
         if (!restriction.Audience || !restriction.Audience[0] || !restriction.Audience[0]._) {
           return new Error("SAML assertion AudienceRestriction has no Audience value");
         }
-        if (restriction.Audience[0]._ !== expectedAudience) {
+        if (restriction.Audience.every((audience) => audience._ !== expectedAudience)) {
           return new Error(
             "SAML assertion audience mismatch. Expected: " +
               expectedAudience +
               " Received: " +
-              restriction.Audience[0]._,
+              restriction.Audience.map((audience) => audience._).join(", "),
           );
         }
         return null;

diff --git a/test/tests.spec.ts b/test/tests.spec.ts
@@ -2826,6 +2826,57 @@ describe("node-saml /", function () {
         assertRequired(profile, "profile must exist");
         expect(profile.nameID.startsWith("ploer")).to.be.true;
       });
+
+      it("onelogin xml document with audience matching one of the audiences in an AudienceRestriction should pass", async () => {
+        const signingCert = fs.readFileSync(__dirname + "/static/cert.pem", "utf-8");
+        const xml = `<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfxb9beedb9-b556-2a51-a783-bfcf6e91cd9c" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50">
+  <saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxb9beedb9-b556-2a51-a783-bfcf6e91cd9c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>edDN6bvyl6Xxktgt8vti1AUM7nw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>jpcVTjUyur7nak60faEHY/yEGTNtyyvMtRGmiZPNXmsj3SaeJdWiLRojrW1SoqC7Db3wPb/3KCXMshlgqaO8b+/V3Y8QW30GuYiQ3xRnKe4mcKUHboKricNb7Ak7+1KjS52DfihkNPna4JwiL5aAECx87H06ZJ2aUdoat47F4Nfus5T4s0RhNZ+IQcvccjTYAmysfUU+LpI2A8oqIESZlgq0hx9aApdyTEeILIBKxm8tWXw8yIWEo2LZ5EqAsgD5rdDPE4pt6ci/9p+BTlhfDvpSfPm0szJggA2yrsttVN+cgbtB/0OzCEUCEH6cleB2og7hzHaa2MOOBqXSXJHlhw==</ds:SignatureValue>
+</ds:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa" IssueInstant="2014-05-28T00:16:08Z">
+    <saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer>
+    <saml:Subject>
+      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ploer@subspacesw.com</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2014-05-28T00:19:08Z" Recipient="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2014-05-28T00:13:08Z" NotOnOrAfter="2014-05-28T00:19:08Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>test</saml:Audience>
+        <saml:Audience>http://sp.example.com</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2014-05-28T00:16:07Z" SessionNotOnOrAfter="2014-05-29T00:16:08Z" SessionIndex="_30a4af50-c82b-0131-f8b5-782bcb56fcaa">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+  </saml:Assertion>
+</samlp:Response>`;
+        const base64xml = Buffer.from(xml).toString("base64");
+        const container = { SAMLResponse: base64xml };
+
+        const samlConfig: SamlConfig = {
+          callbackUrl: "http://localhost/saml/consume",
+          entryPoint: "https://app.onelogin.com/trust/saml2/http-post/sso/371755",
+          audience: "http://sp.example.com",
+          acceptedClockSkewMs: -1,
+          cert: signingCert,
+          issuer: "onesaml_login",
+          wantAssertionsSigned: false,
+        };
+        const samlObj = new SAML(samlConfig);
+
+        const { profile } = await samlObj.validatePostResponseAsync(container);
+        assertRequired(profile, "profile must exist");
+        expect(profile.nameID.startsWith("ploer")).to.be.true;
+      });
     });
   });
   describe("validatePostRequest()", function () {