From 511049baac93626cdeefb629170cdcb835e4334d Mon Sep 17 00:00:00 2001
From: Mark Cabanero <mark.cabanero@clever.com>
Date: Wed, 3 Feb 2021 14:29:54 -0800
Subject: [PATCH 1/6] dep: Bump async from ^2.5.0 to ^3.2.0

This addresses async being an outdated dependency.

https://github.com/caolan/async/blob/b7361922b1fd231cefa13ff80bfd359f482b5e6e/CHANGELOG.md#v300
notes the major difference between v2 and v3:

  "Most Async methods return a Promise when the final callback is omitted,
   making them await-able!"

In our usage of async in the library, we explicitly have callback functions
specified.

In our tests, we seem to do so as well. Tests (and coverage) runs fine, so I'm
fine with this dependency bump.
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 8eb3199..33e0ebb 100644
--- a/package.json
+++ b/package.json
@@ -31,7 +31,7 @@
     "nyc": "^15.0.0"
   },
   "dependencies": {
-    "async": "^2.5.0",
+    "async": "^3.2.0",
     "debug": "^2.6.0",
     "underscore": "^1.8.0",
     "xml-crypto": "^0.10.0",

From f00ada0113e8ab749df3e13da16f8d126cc697cb Mon Sep 17 00:00:00 2001
From: Mark Cabanero <mark.cabanero@clever.com>
Date: Wed, 3 Feb 2021 14:40:58 -0800
Subject: [PATCH 2/6] dep: Bump debug from ^2.6.0 to ^4.3.0

There's some usage of debug within the library.

Looking at the release logs for v3 and v4
(https://github.com/visionmedia/debug/releases/tag/3.0.0,
https://github.com/visionmedia/debug/releases/tag/4.0.0), the main highlights
are the expected version bumps for where the package is used.

Running debug with:

  DEBUG=* npm run test 2> debug-output.md

And comparing across v2 versus v4 didn't result in anything majorly different,
besides the timestamps generated for the run.

Since there's nothing that broke with this, bumping up the version.
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 33e0ebb..a448074 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
   },
   "dependencies": {
     "async": "^3.2.0",
-    "debug": "^2.6.0",
+    "debug": "^4.3.0",
     "underscore": "^1.8.0",
     "xml-crypto": "^0.10.0",
     "xml-encryption": "^1.2.1",

From 761788e3cff692f1d0579c32cc83dbf65f9fcdfd Mon Sep 17 00:00:00 2001
From: Mark Cabanero <mark.cabanero@clever.com>
Date: Wed, 3 Feb 2021 14:54:36 -0800
Subject: [PATCH 3/6] dep: Bump xmldom from ^0.1.0 to ^0.4.0

This one is tricky. We primarily use it for DOMParser(), but we also use it for
XMLSerializer(). Any major changes to these functions should give us pause.

https://github.com/xmldom/xmldom/compare/v0.1.31...0.2.1

The main changes here stem from HTML entity parsing and some CI changes. Should
be fine to bump up.

0.3.0 added a new function (getElementsByClassName()) as well as some
restructuring of the library, but that's also fine.

https://github.com/xmldom/xmldom/compare/0.3.0...0.4.0

0.4.0 strictly checks that the type for parseFromString() is a string. In all
cases in the library where we use this, we make sure the input to the function
is a string.
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index a448074..e11ff81 100644
--- a/package.json
+++ b/package.json
@@ -38,6 +38,6 @@
     "xml-encryption": "^1.2.1",
     "xml2js": "^0.4.0",
     "xmlbuilder": "~2.2.0",
-    "xmldom": "^0.1.0"
+    "xmldom": "^0.4.0"
   }
 }

From 57b1486fffa651344fdf1bcecf5750cada0b42d4 Mon Sep 17 00:00:00 2001
From: Mark Cabanero <mark.cabanero@clever.com>
Date: Wed, 3 Feb 2021 17:31:49 -0800
Subject: [PATCH 4/6] dep: Bump xmlbuilder ~2.2.0 to xmlbuilder2 ^2.4.0

This requires a small code change for tests to still pass.

On xmlbuilder ~2.2.0, XML creation worked with an array of objects. What this
means in practice is that we were able to use a block like:

```javascript
[
  { 'saml:AuthnContextClassRef': 'context:class' },
  { '@Comparison': 'exact' }
]
```

to make an XML block that looked like:

```xml
    <RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>context:class</saml:AuthnContextClassRef>
    </RequestedAuthnContext>
```

Any xmlbuilder version past that would generate XML that looked like:

```xml
    <RequestedAuthnContext>
        <saml:AuthnContextClassRef>context:class</saml:AuthnContextClassRef>
    </RequestedAuthnContext>
    <RequestedAuthnContext Comparison="exact"/>
```

However, if we change the context node to be a flat object:

```javascript
  {
    'saml:AuthnContextClassRef': ['context:class', 'context:two'],
    '@Comparison': 'exact'
  }
```

we pass the tests.
---
 lib/saml2.coffee | 5 ++---
 package.json     | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/saml2.coffee b/lib/saml2.coffee
index 89dd263..6ac3993 100644
--- a/lib/saml2.coffee
+++ b/lib/saml2.coffee
@@ -5,7 +5,7 @@ debug         = require('debug') 'saml2'
 {parseString} = require 'xml2js'
 url           = require 'url'
 util          = require 'util'
-xmlbuilder    = require 'xmlbuilder'
+xmlbuilder    = require 'xmlbuilder2'
 xmlcrypto     = require 'xml-crypto'
 xmldom        = require 'xmldom'
 xmlenc        = require 'xml-encryption'
@@ -28,8 +28,7 @@ class SAMLError extends Error
 # request.
 create_authn_request = (issuer, assert_endpoint, destination, force_authn, context, nameid_format) ->
   if context?
-    context_element = _(context.class_refs).map (class_ref) -> 'saml:AuthnContextClassRef': class_ref
-    context_element.push '@Comparison': context.comparison
+    context_element = { 'saml:AuthnContextClassRef': context.class_refs, '@Comparison': context.comparison }
 
   id = '_' + crypto.randomBytes(21).toString('hex')
   xml = xmlbuilder.create
diff --git a/package.json b/package.json
index e11ff81..2b305a2 100644
--- a/package.json
+++ b/package.json
@@ -37,7 +37,7 @@
     "xml-crypto": "^0.10.0",
     "xml-encryption": "^1.2.1",
     "xml2js": "^0.4.0",
-    "xmlbuilder": "~2.2.0",
+    "xmlbuilder2": "^2.4.0",
     "xmldom": "^0.4.0"
   }
 }

From 8afe878cc658229a808dfbe58d03b30d5cf9914a Mon Sep 17 00:00:00 2001
From: Mark Cabanero <mark.cabanero@clever.com>
Date: Wed, 3 Feb 2021 17:37:50 -0800
Subject: [PATCH 5/6] test: Update 'contains an AuthnContext if requested'

This provides more context for failing the case where Comparison=exact is not
found as an attribute on the target node.
---
 test/saml2.coffee | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/saml2.coffee b/test/saml2.coffee
index fef1bc4..b595339 100644
--- a/test/saml2.coffee
+++ b/test/saml2.coffee
@@ -51,7 +51,7 @@ describe 'saml2', ->
         authn_request = dom.getElementsByTagName('AuthnRequest')[0]
 
         requested_authn_context = authn_request.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:protocol', 'RequestedAuthnContext')[0]
-        assert _(requested_authn_context.attributes).some (attr) -> attr.name is 'Comparison' and attr.value is 'exact'
+        assert _(requested_authn_context.attributes).some((attr) -> attr.name is 'Comparison' and attr.value is 'exact'), "Could not determine if specified attribute had proper value (Comparison=exact)"
         assert.equal requested_authn_context.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:assertion', 'AuthnContextClassRef')[0].firstChild.data, 'context:class'
 
 

From 548d87f63ab81b4c9f5ac035c0d8033738536cd5 Mon Sep 17 00:00:00 2001
From: Mark Cabanero <mark.cabanero@clever.com>
Date: Wed, 3 Feb 2021 17:40:34 -0800
Subject: [PATCH 6/6] chore: Bump minimum node version to >=10.x

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 2b305a2..98ace8d 100644
--- a/package.json
+++ b/package.json
@@ -6,7 +6,7 @@
   "license": "Apache-2.0",
   "main": "index.js",
   "engines": {
-    "node": ">=0.10.x"
+    "node": ">=10.x"
   },
   "scripts": {
     "build": "coffee --bare -c -o lib-js lib",