From a9c20c915107ebf28b28af410f67f025a650fb81 Mon Sep 17 00:00:00 2001 From: Roberto Sero <> Date: Tue, 19 Mar 2024 12:21:45 +0100 Subject: [PATCH 1/3] chore: upgraded spid-saml-check --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 16e7422..ad2e431 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,7 +15,7 @@ services: volumes: - config:/certs:rw spid: - image: "italia/spid-saml-check:1.9.2" + image: "italia/spid-saml-check:1.10.4" ports: - "8443:8443" web: From 95a008346e0f4188d61e5c2e10cb3cdb33190936 Mon Sep 17 00:00:00 2001 From: Roberto Sero <> Date: Tue, 19 Mar 2024 12:21:52 +0100 Subject: [PATCH 2/3] chore: less tests for perf --- test.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/test.sh b/test.sh index 40b8879..88b7904 100644 --- a/test.sh +++ b/test.sh @@ -13,16 +13,16 @@ function t { docker-compose -f $C build -q -t HTTP-POST sha256 exact 1 +# t HTTP-POST sha256 exact 1 t HTTP-Redirect sha512 minimum 1 -t HTTP-POST sha256 maximum 1 +# t HTTP-POST sha256 maximum 1 # t HTTP-Redirect sha512 better 1 # not working atm -t HTTP-Redirect sha512 exact 2 +# t HTTP-Redirect sha512 exact 2 t HTTP-POST sha256 minimum 2 -t HTTP-Redirect sha512 maximum 2 +# t HTTP-Redirect sha512 maximum 2 # t HTTP-POST sha256 better 2 # not working atm -t HTTP-Redirect sha512 exact 3 -t HTTP-POST sha256 minimum 3 +# t HTTP-Redirect sha512 exact 3 +# t HTTP-POST sha256 minimum 3 t HTTP-Redirect sha512 maximum 3 docker-compose -f $C down -v From 035759f23d266bdbbaf16f0f6d29a53ff922fcaa Mon Sep 17 00:00:00 2001 From: Roberto Sero <> Date: Tue, 19 Mar 2024 12:22:22 +0100 Subject: [PATCH 3/3] fix: include idpIssuer in cached data --- src/response.ts | 11 ++++++++--- src/saml.ts | 17 ++++++++++++++--- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/response.ts b/src/response.ts index d70d404..516fbd1 100644 --- a/src/response.ts +++ b/src/response.ts @@ -15,7 +15,12 @@ import difference from 'lodash.difference'; import { isISODateTimeUTC } from './util'; export class SpidResponse extends XML.XML { - validate(req: SpidRequest, config: SpidConfig, saml: SamlOptions) { + validate( + req: SpidRequest, + config: SpidConfig, + saml: SamlOptions, + idpIssuer: string, + ) { assert(this.response, `Missing response`); assert(this.assertion, `Missing assertion`); const { SAML_ASSERTION: A, SAML_PROTOCOL: P } = NS; @@ -120,12 +125,12 @@ export class SpidResponse extends XML.XML { // Issuer assert.strictEqual( data.issuer, - saml.idpIssuer, + idpIssuer, `Invalid Issuer "${data.issuer}"`, ); assert.strictEqual( data.assertion.issuer, - saml.idpIssuer, + idpIssuer, `Invalid Assertion Issuer "${data.assertion.issuer}"`, ); assert( diff --git a/src/saml.ts b/src/saml.ts index 348b1f5..f821216 100644 --- a/src/saml.ts +++ b/src/saml.ts @@ -4,6 +4,11 @@ import { SpidRequest } from './request'; import { SamlSpidProfile, SpidConfig } from './types'; import { SpidResponse } from './response'; +type CacheData = { + reqXml: string; + idpIssuer: string; +}; + export class SpidSAML extends SAML { constructor(samlConfig: SamlConfig, private spidConfig: SpidConfig) { super(samlConfig); @@ -29,7 +34,11 @@ export class SpidSAML extends SAML { xml = signAuthnRequestPost(xml, this.options as any); } const { cache } = this.spidConfig; - await cache.set(id, xml); + const cacheData: CacheData = { + reqXml: xml, + idpIssuer: this.options.idpIssuer, + }; + await cache.set(id, JSON.stringify(cacheData)); const timeoutMs = this.options.requestIdExpirationPeriodMs ?? 1000 * 60 * 60 * 15; if (cache.expire) { @@ -51,7 +60,9 @@ export class SpidSAML extends SAML { throw new Error(`Missing InResponseTo`); } const { cache } = this.spidConfig; - const reqXml = await cache.get(inResponseTo); + const cacheDataJSON = await cache.get(inResponseTo); + const cacheData = JSON.parse(cacheDataJSON) as CacheData; + const { reqXml } = cacheData; if (!reqXml) { throw new Error(`Missing request for ${inResponseTo} response`); } @@ -64,7 +75,7 @@ export class SpidSAML extends SAML { samlResponseXml, inResponseTo, ); - res.validate(req, this.spidConfig, this.options); + res.validate(req, this.spidConfig, this.options, cacheData.idpIssuer); const p = profile as SamlSpidProfile; p.getSamlRequestXml = () => reqXml; return { profile: p, loggedOut };