Remove redirect support from passport-saml-too branch, since it doesn…

…'t validate signatures.
node-saml · May 29, 2014 · 6f2087e · 6f2087e · ploer · May 31, 2014
1 parent 6da8caa
commit 6f2087e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 37 deletions.
diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
@@ -218,11 +218,10 @@ SAML.prototype.certToPEM = function (cert) {
   return cert;
 };
 
-SAML.prototype.validateSignature = function (xml, cert, signature) {
+SAML.prototype.validateSignature = function (xml, cert) {
   var self = this;
   var doc = new xmldom.DOMParser().parseFromString(xml);
-  if (signature === "") { return true; }
-  signature = signature || xmlCrypto.xpath(doc, "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0].toString();
+  var signature = xmlCrypto.xpath(doc, "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0].toString();
   var sig = new xmlCrypto.SignedXml();
   sig.keyInfoProvider = {
     getKeyInfo: function (key) {
@@ -238,40 +237,15 @@ SAML.prototype.validateSignature = function (xml, cert, signature) {
 
 SAML.prototype.validatePostResponse = function (container, callback) {
   var xml = new Buffer(container.SAMLResponse, 'base64').toString('ascii');
-  return this.validateXML(xml, null, validateResponse, callback);
+  return this.validateXML(xml, validateResponse, callback);
 };
 
 SAML.prototype.validatePostRequest = function (container, callback) {
   var xml = new Buffer(container.SAMLRequest, 'base64').toString('ascii');
-  return this.validateXML(xml, null, validateRequest, callback);
+  return this.validateXML(xml, validateRequest, callback);
 };
 
-SAML.prototype.validateRedirectResponse = function (container, callback) {
-  var data = new Buffer(container.SAMLResponse, "base64");
-  var signature = null; //new Buffer(container.Signature, 'base64').toString('ascii');
-  this.validateRedirect(data, signature, validateResponse, callback);
-};
-
-SAML.prototype.validateRedirectRequest = function (container, callback) {
-  var data = new Buffer(container.SAMLRequest, "base64");
-  var signature = null; //new Buffer(container.Signature, 'base64').toString('ascii');
-  this.validateRedirect(data, signature, validateRequest, callback);
-};
-
-SAML.prototype.validateRedirect = function(data, signature, validate, callback) {
-  var self = this;
-  // TODO verify redirect
-
-  zlib.inflateRaw(data, function(err, inflated) {
-    if (err) {
-      return callback(err);
-    }
-
-    self.validateXML(inflated.toString("utf8"), "", validate, callback);
-  });
-};
-
-SAML.prototype.validateXML = function (xml, signature, validate, callback) {
+SAML.prototype.validateXML = function (xml, validate, callback) {
   var self = this;
   var parserConfig = {
     explicitRoot: true,
@@ -284,7 +258,7 @@ SAML.prototype.validateXML = function (xml, signature, validate, callback) {
     }
 
     // Verify signature
-    if (self.options.cert && !self.validateSignature(xml, self.options.cert, signature)) {
+    if (self.options.cert && !self.validateSignature(xml, self.options.cert)) {
       return callback(new Error('Invalid signature'), null, false);
     }
 

diff --git a/lib/passport-saml/strategy.js b/lib/passport-saml/strategy.js
@@ -62,12 +62,8 @@ Strategy.prototype.authenticate = function (req, options) {
     }
   }
 
-  if (req.query && req.query.SAMLResponse) {
-      this._saml.validateRedirectResponse(req.query, validateCallback);
-  } else if (req.body && req.body.SAMLResponse) {
+  if (req.body && req.body.SAMLResponse) {
       this._saml.validatePostResponse(req.body, validateCallback);
-  } else if (req.query && req.query.SAMLRequest) {
-      this._saml.validateRedirectRequest(req.query, validateCallback);
   } else if (req.body && req.body.SAMLRequest) {
       this._saml.validatePostRequest(req.body, validateCallback);
   } else if (options.samlFallback) {