fix: exporting SAML connections base64 encode the certificate (#1008)

* Add Base64 encoding for SAML certificate options in connections

* unit test added for encodeCertStringToBase64

Author: kushalshit27

src/context/directory/handlers/connections.ts

@@ -12,6 +12,7 @@ import {
   sanitize,
   ensureProp,
   mapClientID2NameSorted,
+  encodeCertStringToBase64,
 } from '../../../utils';
 import { DirectoryHandler } from '.';
 import DirectoryContext from '..';
@@ -88,6 +89,18 @@ async function dump(context: DirectoryContext): Promise<void> {
       dumpedConnection.options.email.body = `./${connectionName}.html`;
     }
 
+    if (dumpedConnection.strategy === 'samlp' && dumpedConnection.options) {
+      if ('cert' in dumpedConnection.options) {
+        dumpedConnection.options.cert = encodeCertStringToBase64(dumpedConnection.options.cert);
+      }
+
+      if ('signingCert' in dumpedConnection.options) {
+        dumpedConnection.options.signingCert = encodeCertStringToBase64(
+          dumpedConnection.options.signingCert
+        );
+      }
+    }
+
     const connectionFile = path.join(connectionsFolder, `${connectionName}.json`);
     dumpJSON(connectionFile, dumpedConnection);
   });

src/context/yaml/handlers/connections.ts

@@ -9,6 +9,7 @@ import {
   ensureProp,
   convertClientIdToName,
   mapClientID2NameSorted,
+  encodeCertStringToBase64,
 } from '../../../utils';
 import { YAMLHandler } from '.';
 import YAMLContext from '..';
@@ -90,6 +91,17 @@ async function dump(context: YAMLContext): Promise<ParsedConnections> {
         dumpedConnection.options.email.body = `./${connectionName}.html`;
       }
 
+      if (dumpedConnection.strategy === 'samlp' && dumpedConnection.options) {
+        if ('cert' in dumpedConnection.options) {
+          dumpedConnection.options.cert = encodeCertStringToBase64(dumpedConnection.options.cert);
+        }
+
+        if ('signingCert' in dumpedConnection.options) {
+          dumpedConnection.options.signingCert = encodeCertStringToBase64(
+            dumpedConnection.options.signingCert
+          );
+        }
+      }
       return dumpedConnection;
     }),
   };

src/utils.ts

@@ -259,3 +259,16 @@ export const findKeyPathWithValue = (obj: any, findKey: string, parentPath: stri
 
   return results;
 };
+
+/**
+ * Encodes a certificate string to Base64 format if it starts with '-----BEGIN CERTIFICATE-----'.
+ *
+ * @param cert - The certificate string to be encoded.
+ * @returns The Base64 encoded certificate string if the input starts with '-----BEGIN CERTIFICATE-----', otherwise returns the original string.
+ */
+export const encodeCertStringToBase64 = (cert: string) => {
+  if (cert?.startsWith('-----BEGIN CERTIFICATE-----')) {
+    return Buffer.from(cert).toString('base64');
+  }
+  return cert;
+};

test/utils.test.js

@@ -19,6 +19,7 @@ import {
   sanitize,
   stripIdentifiers,
   toConfigFn,
+  encodeCertStringToBase64,
 } from '../src/utils';
 
 const mockConfigFn = () => {};
@@ -269,4 +270,23 @@ describe('#utils', function () {
       expect(mapClientID2NameSorted(null, null)).deep.equal([]);
     });
   });
+
+  describe('encodeCertStringToBase64', () => {
+    it('should encode certificate string to Base64', () => {
+      const cert =
+        '-----BEGIN CERTIFICATE-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7\n-----END CERTIFICATE-----';
+      const expectedBase64 = Buffer.from(cert).toString('base64');
+      expect(encodeCertStringToBase64(cert)).to.equal(expectedBase64);
+    });
+
+    it('should return the original string if it does not start with "-----BEGIN CERTIFICATE-----"', () => {
+      const nonCertString = 'This is not a certificate';
+      expect(encodeCertStringToBase64(nonCertString)).to.equal(nonCertString);
+    });
+
+    it('should return the original string if it is null or undefined', () => {
+      expect(encodeCertStringToBase64(null)).to.equal(null);
+      expect(encodeCertStringToBase64(undefined)).to.equal(undefined);
+    });
+  });
 });