67-CheckUser-with-Global-token.t 6.15 KB
Newer Older
Christophe Maudoux's avatar
Christophe Maudoux committed
1
2
3
4
use Test::More;
use strict;
use IO::String;

Christophe Maudoux's avatar
Christophe Maudoux committed
5
6
require 't/test-lib.pm';

Christophe Maudoux's avatar
Christophe Maudoux committed
7
8
9
10
11

my $res;

my $client = LLNG::Manager::Test->new( {
        ini => {
Christophe Maudoux's avatar
Christophe Maudoux committed
12
13
14
15
16
17
18
19
20
21
22
23
24
            logLevel                        => 'error',
            authentication                  => 'Demo',
            userDB                          => 'Same',
            loginHistoryEnabled             => 0,
            brutForceProtection             => 0,
            checkUser                       => 1,
            requireToken                    => 1,
            tokenUseGlobalStorage           => 1,
            formTimeout                     => 120,
            checkUserDisplayEmptyValues     => 1,
            checkUserDisplayPersistentInfo  => 1,
            checkUserDisplayComputedSession => 1,
            macros                          => {
25
26
27
28
                _whatToTrace =>
                  '$_auth eq "SAML" ? "$_user\@$_idpConfKey" : "$_user"',
                mail => 'uc $mail',
            }
Christophe Maudoux's avatar
Christophe Maudoux committed
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
        }
    }
);

## Try to authenticate
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', );
count(1);
my ( $host, $url, $query ) =
  expectForm( $res, '#', undef, 'user', 'password', 'token' );

$query =~ s/user=/user=dwho/;
$query =~ s/password=/password=dwho/;
ok(
    $res = $client->_post(
        '/',
        IO::String->new($query),
        length => length($query),
        accept => 'text/html',
    ),
    'Auth query'
);
count(1);

my $id = expectCookie($res);
expectRedirection( $res, 'http://auth.example.com/' );

# CheckUser form
# ------------------------
ok(
    $res = $client->_get(
        '/checkuser',
        cookie => "lemonldap=$id",
        accept => 'text/html'
    ),
    'CheckUser form',
);
count(1);
( $host, $url, $query ) =
  expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
  or explain( $res->[2]->[0], 'trspan="checkUser"' );
count(1);

72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Wildcarded VHost
$query =~ s/url=/url=http%3A%2F%2Fappli.example.llng/;

ok(
    $res = $client->_post(
        '/checkuser',
        IO::String->new($query),
        cookie => "lemonldap=$id",
        length => length($query),
        accept => 'text/html',
    ),
    'POST checkuser'
);
ok( $res->[2]->[0] =~ m%<span trspan="allowed">%, 'Found allowed' )
  or explain( $res->[2]->[0], 'trspan="allowed"' );
count(2);
( $host, $url, $query ) =
  expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );

# Bad VHost (checkXSS)
$query =~ s/url=http%3A%2F%2Fappli.example.llng/url=http%3A%2F%2Fappli'.example.llng/;

ok(
    $res = $client->_post(
        '/checkuser',
        IO::String->new($query),
        cookie => "lemonldap=$id",
        length => length($query),
        accept => 'text/html',
    ),
    'POST checkuser'
);
ok( $res->[2]->[0] =~ m%<span trspan="VHnotFound">%, 'Found VHnotFound' )
  or explain( $res->[2]->[0], 'trspan="VHnotFound"' );
count(2);
( $host, $url, $query ) =
  expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );

110
111
112
# Skipping time until the form token has expired
Time::Fake->offset("+5m");

Christophe Maudoux's avatar
Christophe Maudoux committed
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
ok(
    $res = $client->_post(
        '/checkuser',
        IO::String->new($query),
        cookie => "lemonldap=$id",
        length => length($query),
        accept => 'text/html',
    ),
    'POST checkuser'
);
ok( $res->[2]->[0] =~ m%<span trspan="PE82"></span>%, 'Found PE_TOKENEXPIRED' )
  or explain( $res->[2]->[0], 'trspan="PE82"' );
count(2);
( $host, $url, $query ) =
  expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );

# Valid token
$query =~ s/user=/user=rtyler/;
$query =~ s/url=/url=http%3A%2F%2Ftest1.example.com/;

ok(
    $res = $client->_post(
        '/checkuser',
        IO::String->new($query),
        cookie => "lemonldap=$id",
        length => length($query),
        accept => 'text/html',
    ),
    'POST checkuser'
);
count(1);

( $host, $url, $query ) =
  expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );
Christophe Maudoux's avatar
Christophe Maudoux committed
147
ok( $res->[2]->[0] =~ m%<span trspan="checkUserComputedSession">%,
Yadd's avatar
Tidy    
Yadd committed
148
    'Found trspan="checkUserComputeSession"' )
Christophe Maudoux's avatar
Christophe Maudoux committed
149
  or explain( $res->[2]->[0], 'trspan="checkUserComputedSession"' );
Christophe Maudoux's avatar
Christophe Maudoux committed
150
151
ok(
    $res->[2]->[0] =~
152
m%<div class="alert alert-success"><div class="text-center"><b><span trspan="allowed"></span></b></div></div>%,
Christophe Maudoux's avatar
Christophe Maudoux committed
153
154
155
156
157
158
159
160
161
162
    'Found trspan="allowed"'
) or explain( $res->[2]->[0], 'trspan="allowed"' );
ok( $res->[2]->[0] =~ m%<span trspan="headers">%, 'Found trspan="headers"' )
  or explain( $res->[2]->[0], 'trspan="headers"' );
ok( $res->[2]->[0] =~ m%<span trspan="groups_sso">%,
    'Found trspan="groups_sso"' )
  or explain( $res->[2]->[0], 'trspan="groups_sso"' );
ok( $res->[2]->[0] =~ m%<span trspan="attributes">%,
    'Found trspan="attributes"' )
  or explain( $res->[2]->[0], 'trspan="attributes"' );
163
164
165
ok( $res->[2]->[0] =~ m%<span trspan="macros">%, 'Found trspan="macros"' )
  or explain( $res->[2]->[0], 'trspan="macros"' );
ok( $res->[2]->[0] =~ m%Auth-User: %, 'Found Auth-User' )
Christophe Maudoux's avatar
Christophe Maudoux committed
166
  or explain( $res->[2]->[0], 'Header Key: Auth-User' );
167
ok( $res->[2]->[0] =~ m%: rtyler<br/>%, 'Found rtyler' )
Christophe Maudoux's avatar
Christophe Maudoux committed
168
  or explain( $res->[2]->[0], 'Header Value: rtyler' );
Antoine Rosier's avatar
Antoine Rosier committed
169
ok( $res->[2]->[0] =~ m%<div class="card-text text-left ml-2">su</div>%, 'Found su' )
Christophe Maudoux's avatar
Christophe Maudoux committed
170
  or explain( $res->[2]->[0], 'SSO Groups: su' );
171
172
ok( $res->[2]->[0] =~ m%<td scope="row">uid</td>%, 'Found uid' )
  or explain( $res->[2]->[0], 'Attribute Value uid' );
173
174
175
176
177
178
ok( $res->[2]->[0] =~ m%<td scope="row">RTYLER\@BADWOLF\.ORG</td>%,
    'Found uc mail' )
  or explain( $res->[2]->[0], 'Macro Key uc mail' );
ok( $res->[2]->[0] =~ m%<td scope="row">uid</td>%, 'Found uid' )
  or explain( $res->[2]->[0], 'Attribute Value uid' );
count(12);
Christophe Maudoux's avatar
Christophe Maudoux committed
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

$query =~
s/url=http%3A%2F%2Ftest1.example.com/url=http%3A%2F%2Fmanager.example.com%2Fmanager.html/;

ok(
    $res = $client->_post(
        '/checkuser',
        IO::String->new($query),
        cookie => "lemonldap=$id",
        length => length($query),
        accept => 'text/html',
    ),
    'POST checkuser'
);
ok(
    $res->[2]->[0] =~
195
m%<div class="alert alert-danger"><div class="text-center"><b><span trspan="forbidden"></span></b></div></div>%,
Christophe Maudoux's avatar
Christophe Maudoux committed
196
197
198
199
200
201
202
203
    'Found trspan="forbidden"'
) or explain( $res->[2]->[0], 'trspan="forbidden"' );
count(2);

$client->logout($id);
clean_sessions();

done_testing( count() );