Implement SAML AuthnRequest generation and tests

neSpecc · neSpecc · commit 1369b2c06a45 · 2025-12-24T22:01:07.000+03:00
Added logic to generate SAML AuthnRequest using node-saml, extract the request ID from the encoded request, and handle errors. Updated and expanded unit tests to cover successful generation, error cases, and correct invocation of SAML library methods.
diff --git a/src/sso/saml/service.ts b/src/sso/saml/service.ts
@@ -12,7 +12,7 @@ export default class SamlService {
    *
    * @param workspaceId - workspace ID
    * @param acsUrl - Assertion Consumer Service URL
-   * @param relayState - relay state to pass through
+   * @param relayState - context of user returning (url + relay state id)
    * @param samlConfig - SAML configuration
    * @returns AuthnRequest ID and encoded SAML request
    */
@@ -22,16 +22,59 @@ export default class SamlService {
     relayState: string,
     samlConfig: SamlConfig
   ): Promise<{ requestId: string; encodedRequest: string }> {
+    const saml = this.createSamlInstance(acsUrl, samlConfig);
+
     /**
-     * @todo Implement using @node-saml/node-saml
-     *
-     * This method should:
-     * 1. Generate unique AuthnRequest ID
-     * 2. Create SAML AuthnRequest XML
-     * 3. Encode it as base64
-     * 4. Return both requestId and encoded request
+     * Generate AuthnRequest message
+     * node-saml returns object with SAMLRequest (deflated + base64 encoded)
      */
-    throw new Error('Not implemented');
+    const authorizeMessage = await saml.getAuthorizeMessageAsync(relayState, undefined, {});
+
+    const encodedRequest = authorizeMessage.SAMLRequest as string;
+
+    if (!encodedRequest) {
+      throw new Error('Failed to generate SAML AuthnRequest');
+    }
+
+    /**
+     * Extract request ID from the generated request
+     * node-saml generates unique ID internally using generateUniqueId option
+     * We need to decode and parse to get the ID for InResponseTo validation
+     */
+    const requestId = this.extractRequestIdFromEncodedRequest(encodedRequest);
+
+    return {
+      requestId,
+      encodedRequest,
+    };
+  }
+
+  /**
+   * Extract request ID from encoded SAML AuthnRequest
+   *
+   * @param encodedRequest - deflated and base64 encoded SAML request
+   * @returns request ID
+   */
+  private extractRequestIdFromEncodedRequest(encodedRequest: string): string {
+    const zlib = require('zlib');
+
+    /**
+     * Decode base64 and inflate
+     */
+    const decoded = Buffer.from(encodedRequest, 'base64');
+    const inflated = zlib.inflateRawSync(decoded).toString('utf-8');
+
+    /**
+     * Extract ID attribute from AuthnRequest XML
+     * Format: <samlp:AuthnRequest ... ID="_abc123" ...>
+     */
+    const idMatch = inflated.match(/ID="([^"]+)"/);
+
+    if (!idMatch || !idMatch[1]) {
+      throw new Error('Failed to extract request ID from AuthnRequest');
+    }
+
+    return idMatch[1];
   }
 
   /**
diff --git a/test/sso/saml/service.test.ts b/test/sso/saml/service.test.ts
@@ -30,6 +30,7 @@ describe('SamlService', () => {
 
   const mockSamlInstance = {
     validatePostResponseAsync: jest.fn(),
+    getAuthorizeMessageAsync: jest.fn(),
   };
 
   beforeEach(() => {
@@ -47,14 +48,109 @@ describe('SamlService', () => {
   });
 
   describe('generateAuthnRequest', () => {
+    const testRelayState = 'test-relay-state-123';
+
     /**
-     * TODO: Add tests for:
-     * 1. Should generate valid AuthnRequest with correct structure
-     * 2. Should include correct ACS URL
-     * 3. Should include correct SP Entity ID
-     * 4. Should return unique request ID
-     * 5. Should return base64-encoded request
+     * Helper to create a mock SAML AuthnRequest (deflated + base64 encoded)
      */
+    function createMockEncodedRequest(requestId: string): string {
+      const zlib = require('zlib');
+      const xml = `<?xml version="1.0"?>
+        <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+          ID="${requestId}"
+          Version="2.0"
+          IssueInstant="2025-01-01T00:00:00Z"
+          Destination="https://idp.example.com/sso"
+          AssertionConsumerServiceURL="https://api.example.com/auth/sso/saml/507f1f77bcf86cd799439011/acs">
+          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:hawk:tracker:saml</saml:Issuer>
+        </samlp:AuthnRequest>`;
+
+      const deflated = zlib.deflateRawSync(xml);
+
+      return deflated.toString('base64');
+    }
+
+    it('should generate AuthnRequest and return request ID', async () => {
+      const mockRequestId = '_test-request-id-12345';
+      const mockEncodedRequest = createMockEncodedRequest(mockRequestId);
+
+      mockSamlInstance.getAuthorizeMessageAsync.mockResolvedValue({
+        SAMLRequest: mockEncodedRequest,
+        RelayState: testRelayState,
+      });
+
+      const result = await samlService.generateAuthnRequest(
+        testWorkspaceId,
+        testAcsUrl,
+        testRelayState,
+        testSamlConfig
+      );
+
+      expect(result.requestId).toBe(mockRequestId);
+      expect(result.encodedRequest).toBe(mockEncodedRequest);
+    });
+
+    it('should call getAuthorizeMessageAsync with correct relay state', async () => {
+      const mockRequestId = '_another-request-id';
+      const mockEncodedRequest = createMockEncodedRequest(mockRequestId);
+
+      mockSamlInstance.getAuthorizeMessageAsync.mockResolvedValue({
+        SAMLRequest: mockEncodedRequest,
+      });
+
+      await samlService.generateAuthnRequest(
+        testWorkspaceId,
+        testAcsUrl,
+        testRelayState,
+        testSamlConfig
+      );
+
+      expect(mockSamlInstance.getAuthorizeMessageAsync).toHaveBeenCalledWith(
+        testRelayState,
+        undefined,
+        {}
+      );
+    });
+
+    it('should throw error when SAMLRequest is not returned', async () => {
+      mockSamlInstance.getAuthorizeMessageAsync.mockResolvedValue({
+        /**
+         * No SAMLRequest in response
+         */
+      });
+
+      await expect(
+        samlService.generateAuthnRequest(
+          testWorkspaceId,
+          testAcsUrl,
+          testRelayState,
+          testSamlConfig
+        )
+      ).rejects.toThrow('Failed to generate SAML AuthnRequest');
+    });
+
+    it('should throw error when request ID cannot be extracted', async () => {
+      const zlib = require('zlib');
+      /**
+       * Invalid XML without ID attribute
+       */
+      const invalidXml = '<invalid>no id here</invalid>';
+      const deflated = zlib.deflateRawSync(invalidXml);
+      const invalidEncodedRequest = deflated.toString('base64');
+
+      mockSamlInstance.getAuthorizeMessageAsync.mockResolvedValue({
+        SAMLRequest: invalidEncodedRequest,
+      });
+
+      await expect(
+        samlService.generateAuthnRequest(
+          testWorkspaceId,
+          testAcsUrl,
+          testRelayState,
+          testSamlConfig
+        )
+      ).rejects.toThrow('Failed to extract request ID from AuthnRequest');
+    });
   });
 
   describe('validateAndParseResponse', () => {
