Initial Project Commit

src/main/resources/mock-idp/idp.js

@@ -0,0 +1,315 @@
+const { SignedXml } = require('xml-crypto');
+const { DOMParser } = require('@xmldom/xmldom');
+const crypto = require('crypto');
+const express = require('express');
+const fs = require('fs');
+const path = require('path');
+const bodyParser = require('body-parser');
+const zlib = require('zlib');
+const xml2js = require('xml2js');
+
+const app = express();
+const port = 3000;
+
+// Enable body parsing
+app.use(bodyParser.urlencoded({ extended: true }));
+
+let storedSamlRequest = null;
+let storedRelayState = null;
+let storedQueryParameters = null;
+
+// Step 1: Receive SAMLRequest and render login form
+app.get('/saml/sso', async (req, res) => {
+  storedQueryParameters = req.query;
+  console.log('Received query parameters:', req.query); // 👈 log all query parameters
+
+  const samlRequest = req.query.SAMLRequest;
+  const relayState = req.query.RelayState || '';
+
+  if (!samlRequest) {
+    return res.status(400).send('Missing SAMLRequest');
+  }
+
+  // Store temporarily
+  storedSamlRequest = samlRequest;
+  storedRelayState = relayState;
+
+  // Show simple login form
+  res.send(createLoginForm());
+});
+
+// Step 2: Handle login form and send SAMLResponse
+app.post('/saml/login', (req, res) => {
+  const { username, email, orgCode, securityGroup, roles } = req.body;
+  if (!storedSamlRequest) {
+    return res.status(400).send('No SAMLRequest stored');
+  }
+  
+  // Get the issuer URL (the IDP ID [the application.yml = resilient.security.saml2.relyingparty.registration.mock-idp.assertingparty.entity-id])
+  const issuerUrlDefault = 'http://localhost:3000/saml/metadata';
+  const issuerUrl = storedQueryParameters['issuerUrl'] ? storedQueryParameters['issuerUrl'] : issuerUrlDefault;
+
+  // Get the base url of ServiceProvider (the server APP)
+  const serviceProviderUrlDefault = 'https://localhost:8443'; // Or 'http://localhost:8081'
+  const serviceProviderUrl = storedQueryParameters['spUrl'] ? storedQueryParameters['spUrl'] : serviceProviderUrlDefault;
+
+  // Build ACS (Assertion Consumer Service) URL — this is the Spring Boot app’s endpoint where the SAML Response is posted back after authentication.
+  const acsUrlPath = '/login/saml2/sso/mock-idp';
+  const acsUrl = serviceProviderUrl + acsUrlPath;
+
+  console.log('ServiceProvider URL :', serviceProviderUrl); 
+  console.log('ServiceProvider ACS :', acsUrl); 
+
+  const samlResponse = createFakeSamlResponse(username, email, orgCode, securityGroup, roles, serviceProviderUrl, issuerUrl);
+  const relayState = storedRelayState;
+
+  res.send(`
+    <html>
+      <body onload="document.forms[0].submit()">
+        <form method="POST" action="${acsUrl}">
+          <input type="hidden" name="SAMLResponse" value="${samlResponse.replace(/"/g, '&quot;')}" />
+          <input type="hidden" name="RelayState" value="${relayState.replace(/"/g, '&quot;')}" />
+        </form>
+      </body>
+    </html>
+  `);
+});
+
+function createFakeSamlResponse(nameId, email, orgCode, securityGroupCode, roles, serviceProviderUrl, issuerUrl) {
+  const issuer = issuerUrl;
+  // const audience = "https://localhost:8443/saml2/service-provider-metadata/mock-idp";
+  const audience = serviceProviderUrl + "/saml2/service-provider-metadata/mock-idp";
+  const now = new Date().toISOString();
+  const fiveMinutesLater = new Date(Date.now() + 5 * 60000).toISOString();
+  const assertionId = `_assertion_${crypto.randomUUID()}`;
+  const responseId = `_response_${crypto.randomUUID()}`;
+
+  // const recipient = "https://localhost:8443/login/saml2/sso/mock-idp";
+  const recipient = serviceProviderUrl + "/login/saml2/sso/mock-idp";
+  // const destination = "https://localhost:8443/login/saml2/sso/mock-idp";
+  const destination = serviceProviderUrl + "/login/saml2/sso/mock-idp";
+
+  console.log('SAML Recipient   :', recipient); 
+  console.log('SAML Destination :', destination); 
+  console.log('SAML Issuer :', issuer); 
+
+  const assertion = `
+  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="${assertionId}" IssueInstant="${now}" Version="2.0">
+    <saml:Issuer>${issuer}</saml:Issuer>
+    <saml:Subject>
+      <saml:NameID>${nameId}</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="${fiveMinutesLater}" Recipient="${recipient}" />
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="${now}" NotOnOrAfter="${fiveMinutesLater}">
+      <saml:AudienceRestriction>
+        <saml:Audience>${audience}</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="${now}">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="email">
+        <saml:AttributeValue>${email}</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="organization_code">
+        <saml:AttributeValue>${orgCode}</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="security_group">
+        <saml:AttributeValue>${securityGroupCode}</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="roles">
+        <saml:AttributeValue>${roles}</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>`;
+
+  const privateKey = fs.readFileSync(path.join(__dirname, 'certs', 'idp-private.key'), 'utf8');
+  const certificate = fs.readFileSync(path.join(__dirname, 'certs', 'idp-public.cert'), 'utf8');
+  const certBase64 = certificate
+    .replace(/-----BEGIN CERTIFICATE-----/, '')
+    .replace(/-----END CERTIFICATE-----/, '')
+    .replace(/\r?\n|\r/g, '');
+
+  const doc = new DOMParser().parseFromString(assertion);
+  const sig = new SignedXml();
+  sig.prefix = 'ds';
+  sig.addReference("//*[local-name(.)='Assertion']", [
+    "http://www.w3.org/2000/09/xmldsig#enveloped-signature",
+    "http://www.w3.org/2001/10/xml-exc-c14n#",
+  ], "http://www.w3.org/2000/09/xmldsig#sha1");
+  sig.signingKey = privateKey;
+  sig.keyInfoProvider = {
+    getKeyInfo: () => `<ds:X509Data><ds:X509Certificate>${certBase64}</ds:X509Certificate></ds:X509Data>`
+  };
+  sig.computeSignature(assertion, {
+    prefix: 'ds',
+    location: { reference: "//*[local-name(.)='Issuer']", action: 'after' }
+  });
+
+  const signedAssertion = sig.getSignedXml();
+  const samlResponse = `<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="${responseId}" Version="2.0" IssueInstant="${now}" Destination="${destination}"><saml:Issuer>${issuer}</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>${signedAssertion}</samlp:Response>`;
+
+  const samlResponseToUse = samlResponse.trim().replace(/^\uFEFF/, '');
+  return Buffer.from(samlResponseToUse, 'utf-8').toString('base64');
+}
+
+function createLoginFormOLD() {
+  const form = `
+    <html>
+      <body>
+        <h2>Mock Login</h2>
+        <form method="POST" action="/saml/login">
+          Username: <input name="username" value="test-user"/><br/>
+          Email: <input name="email" value="test@example.com"/><br/>
+          Org Code: <input name="orgCode" value="NOVA"/><br/>
+          Security Group: <input name="securityGroup" value="GRP_USER"/><br/>
+          Roles: <select name="roles" multiple size="4">
+            <option value="ROLE_USER">ROLE_USER</option>
+            <option value="ROLE_COORDINATOR">ROLE_COORDINATOR</option>
+            <option value="ROLE_MANAGER">ROLE_MANAGER</option>
+            <option value="ROLE_ADMIN">ROLE_ADMIN</option>
+          </select><br/><br/>
+          <button type="submit">Login</button>
+        </form>
+      </body>
+    </html>
+  `;
+  return form;
+}
+
+function createLoginForm() {
+  const form = `
+  <html>
+    <head>
+      <style>
+        body {
+          font-family: Arial, sans-serif;
+          background-color: #f4f4f4;
+          display: flex;
+          justify-content: center;
+          align-items: center;
+          height: 100vh;
+        }
+        .form-container {
+          background: #fff;
+          padding: 30px 40px;
+          border-radius: 8px;
+          box-shadow: 0 0 10px rgba(0,0,0,0.1);
+          width: 400px;
+        }
+        h2 {
+          text-align: center;
+          margin-bottom: 20px;
+        }
+        label {
+          display: block;
+          margin: 10px 0 5px;
+          font-weight: bold;
+        }
+        input[type="text"],
+        input[type="email"],
+        select {
+          width: 100%;
+          padding: 8px;
+          box-sizing: border-box;
+          border-radius: 4px;
+          border: 1px solid #ccc;
+        }
+        button {
+          margin-top: 20px;
+          width: 100%;
+          padding: 10px;
+          background-color: #007bff;
+          color: white;
+          border: none;
+          border-radius: 4px;
+          font-size: 16px;
+          cursor: pointer;
+        }
+        button:hover {
+          background-color: #0056b3;
+        }
+      </style>
+    </head>
+    <body>
+      <div class="form-container">
+        <h2>Mock Login</h2>
+        <form method="POST" action="/saml/login">
+          <label for="username">Username</label>
+          <input id="username" name="username" value="test-user" type="text"/>
+
+          <label for="email">Email</label>
+          <input id="email" name="email" value="test@example.com" type="email"/>
+
+          <label for="orgCode">Org Code</label>
+          <input id="orgCode" name="orgCode" value="NOVA" type="text"/>
+
+          <label for="securityGroup">Security Group</label>
+          <input id="securityGroup" name="securityGroup" value="GRP_USER" type="text"/>
+
+          <label for="roles">Roles</label>
+          <select id="roles" name="roles" multiple size="4">
+            <option value="ROLE_USER">ROLE_USER</option>
+            <option value="ROLE_COORDINATOR">ROLE_COORDINATOR</option>
+            <option value="ROLE_MANAGER">ROLE_MANAGER</option>
+            <option value="ROLE_ADMIN">ROLE_ADMIN</option>
+          </select>
+
+          <button type="submit">Login</button>
+        </form>
+      </div>
+    </body>
+  </html>
+  `;
+
+  
+  return form;
+}
+
+// Function to extract Issuer from SAMLRequest (returns a Promise)
+function extractIssuerFromSAMLRequest(samlRequestBase64) {
+  return new Promise((resolve, reject) => {
+    const samlRequestBuffer = Buffer.from(samlRequestBase64, 'base64');
+
+    zlib.inflateRaw(samlRequestBuffer, (err, decoded) => {
+      if (err) {
+        return reject(new Error('Failed to inflate SAMLRequest'));
+      }
+
+      const xml = decoded.toString('utf8');
+
+      xml2js.parseString(xml, { tagNameProcessors: [xml2js.processors.stripPrefix] }, (parseErr, result) => {
+        if (parseErr) {
+          return reject(new Error('Failed to parse SAMLRequest XML'));
+        }
+
+        // Debugging: log the entire parsed result to see structure
+        // console.log("Parsed XML result:", result);
+
+        // Extract Issuer from the first element of the array
+        const issuerObject = result?.AuthnRequest?.Issuer?.[0]; // Issuer is an array, so we access the first element
+        if (!issuerObject) {
+          return reject(new Error('Issuer not found in SAMLRequest'));
+        }
+
+        // Access the text content of the Issuer object (it may be in the '#text' property)
+        const issuer = issuerObject._ || issuerObject['#text']; // Extract the actual string value
+
+        if (!issuer) {
+          return reject(new Error('Issuer value is missing in the SAMLRequest'));
+        }
+
+        resolve(issuer);  // Return the issuer as a string
+      });
+    });
+  });
+}
+
+app.listen(port, () => {
+  console.log(`Mock IDP running at http://localhost:${port}`);
+});