Add deprecation notice for privateCert; fix bug (#492)

node-saml · Nov 3, 2020 · c2f32c6 · c2f32c6
1 parent be111f3
commit c2f32c6
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 12 deletions.
diff --git a/src/passport-saml/saml-post-signing.ts b/src/passport-saml/saml-post-signing.ts
@@ -9,15 +9,27 @@ const defaultTransforms = [ 'http://www.w3.org/2000/09/xmldsig#enveloped-signatu
 export function signSamlPost(samlMessage: string, xpath: string, options: SAMLOptions) {
   if (!samlMessage) throw new Error('samlMessage is required');
   if (!xpath) throw new Error('xpath is required');
-  if (!options || (!options.privateCert && !options.privateKey)) throw new Error('options.privateCert or options.privateKey is required');
+  if (!options) {
+    options = {} as SAMLOptions;
+  }
+
+  if (options.privateCert) {
+    console.warn("options.privateCert has been deprecated; use options.privateKey instead.");
+
+    if (!options.privateKey) {
+      options.privateKey = options.privateCert;
+    }
+  }
+
+  if (!options.privateKey) throw new Error('options.privateKey is required');
 
   const transforms = options.xmlSignatureTransforms || defaultTransforms;
   const sig = new SignedXml();
   if (options.signatureAlgorithm) {
     sig.signatureAlgorithm = algorithms.getSigningAlgorithm(options.signatureAlgorithm);
   }
   sig.addReference(xpath, transforms, algorithms.getDigestAlgorithm(options.digestAlgorithm));
-  sig.signingKey = options.privateCert || options.privateKey;
+  sig.signingKey = options.privateKey;
   sig.computeSignature(samlMessage, { location: { reference: xpath + issuerXPath, action: 'after' }});
   return sig.getSignedXml();
 }

diff --git a/src/passport-saml/saml.ts b/src/passport-saml/saml.ts
@@ -117,7 +117,7 @@ export interface SAMLOptions {
   callbackUrl: string;
   signatureAlgorithm: string;
   path: string;
-  privateCert: string;
+  privateCert?: string;
   privateKey: string;
   logoutUrl: string;
   entryPoint: string;
@@ -153,6 +153,14 @@ class SAML {
       options = {};
     }
 
+    if (options.privateCert) {
+      console.warn("options.privateCert has been deprecated; use options.privateKey instead.");
+
+      if (!options.privateKey) {
+        options.privateKey = options.privateCert;
+      }
+    }
+
     if (Object.prototype.hasOwnProperty.call(options, 'cert') && !options.cert) {
       throw new Error('Invalid property: cert must not be empty');
     }
@@ -267,7 +275,7 @@ class SAML {
       samlMessageToSign.SigAlg = samlMessage.SigAlg;
     }
     signer.update(querystring.stringify(samlMessageToSign));
-    samlMessage.Signature = signer.sign(this.keyToPEM(this.options.privateCert) || this.options.privateKey, 'base64');
+    samlMessage.Signature = signer.sign(this.keyToPEM(this.options.privateKey), 'base64');
   }
 
   generateAuthorizeRequest(req: Request, isPassive: boolean, isHttpPostBinding: boolean, callback: (err: Error | null, request?: string) => void) {
@@ -392,8 +400,7 @@ class SAML {
       }
 
       let stringRequest = xmlbuilder.create(request as unknown as Record<string, any>).end();
-      const privateKey = this.options.privateCert || this.options.privateKey;
-      if (isHttpPostBinding && privateKey) {
+      if (isHttpPostBinding && this.options.privateKey) {
         stringRequest = signAuthnRequestPost(stringRequest, this.options);
       }
       callback(null, stringRequest);
@@ -500,8 +507,7 @@ class SAML {
       Object.keys(additionalParameters).forEach(k => {
         samlMessage[k] = additionalParameters[k];
       });
-      const privateKey = this.options.privateCert || this.options.privateKey;
-      if (privateKey) {
+      if (this.options.privateKey) {
         try {
           if (!this.options.entryPoint) {
             throw new Error('"entryPoint" config parameter is required for signed messages');
@@ -1340,17 +1346,16 @@ class SAML {
           "Missing decryptionCert while generating metadata for decrypting service provider");
       }
     }
-    const privateKey = this.options.privateCert || this.options.privateKey;
-    if(privateKey){
+    if(this.options.privateKey){
       if(!signingCert){
         throw new Error(
           "Missing signingCert while generating metadata for signing service provider messages");
       }
     }
 
-    if(this.options.decryptionPvk || privateKey){
+    if(this.options.decryptionPvk || this.options.privateKey){
       metadata.EntityDescriptor.SPSSODescriptor.KeyDescriptor=[];
-      if (privateKey) {
+      if (this.options.privateKey) {
 
         signingCert = signingCert!.replace( /-+BEGIN CERTIFICATE-+\r?\n?/, '' );
         signingCert = signingCert.replace( /-+END CERTIFICATE-+\r?\n?/, '' );