Commit 666e59ad authored by Maxime Besson's avatar Maxime Besson

Fix #1698 by clearing saml request token on unauth issuer flow

Add some unit tests to make sure relevant pdata is cleared after authentication
parent c573ec96
...@@ -110,8 +110,10 @@ sub _redirect { ...@@ -110,8 +110,10 @@ sub _redirect {
# Restore urldc if auth doesn't need to dial with browser # Restore urldc if auth doesn't need to dial with browser
$self->restoreRequest( $req, $ir ); $self->restoreRequest( $req, $ir );
delete $req->pdata->{ $self->ipath };
delete $req->pdata->{ $self->ipath . 'Path' };
return $self->run( @_, @path ); return $self->run( @_, @path );
} }
: () : ()
) )
] ]
......
...@@ -11,7 +11,7 @@ BEGIN { ...@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm'; require 't/saml-lib.pm';
} }
my $maintests = 21; my $maintests = 22;
my $debug = 'error'; my $debug = 'error';
my ( $issuer, $sp, $res ); my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] ); my %handlerOR = ( issuer => [], sp => [] );
...@@ -131,6 +131,11 @@ SKIP: { ...@@ -131,6 +131,11 @@ SKIP: {
'Post authentication' 'Post authentication'
); );
my $idpId = expectCookie($res); my $idpId = expectCookie($res);
# Expect pdata to be cleared
$pdata = expectCookie( $res, 'lemonldappdata' );
ok( $pdata !~ 'issuerRequestsaml', 'SAML request cleared from pdata' );
( $host, $url, $s ) = ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleSignOnPost', expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleSignOnPost',
'SAMLResponse' ); 'SAMLResponse' );
......
...@@ -11,7 +11,7 @@ BEGIN { ...@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm'; require 't/saml-lib.pm';
} }
my $maintests = 16; my $maintests = 17;
my $debug = 'error'; my $debug = 'error';
my ( $issuer, $sp, $res ); my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] ); my %handlerOR = ( issuer => [], sp => [] );
...@@ -99,6 +99,11 @@ SKIP: { ...@@ -99,6 +99,11 @@ SKIP: {
); );
expectOK($res); expectOK($res);
my $idpId = expectCookie($res); my $idpId = expectCookie($res);
# Expect pdata to be cleared
$pdata = expectCookie( $res, 'lemonldappdata' );
ok( $pdata !~ 'issuerRequestsaml', 'SAML request cleared from pdata' );
( $host, $url, $query ) = ( $host, $url, $query ) =
expectForm( $res, 'auth.sp.com', '/saml/proxySingleSignOnPost', expectForm( $res, 'auth.sp.com', '/saml/proxySingleSignOnPost',
'SAMLResponse', 'RelayState' ); 'SAMLResponse', 'RelayState' );
......
...@@ -113,6 +113,12 @@ ok( ...@@ -113,6 +113,12 @@ ok(
); );
count(1); count(1);
my $idpId = expectCookie($res); my $idpId = expectCookie($res);
# Expect pdata to be cleared
$pdata = expectCookie( $res, 'lemonldappdata' );
ok( $pdata !~ 'issuerRequestsaml', 'SAML request cleared from pdata' );
count(1);
my ($query) = my ($query) =
expectRedirection( $res, qr#^http://auth.sp.com/\?(ticket=[^&]+)$# ); expectRedirection( $res, qr#^http://auth.sp.com/\?(ticket=[^&]+)$# );
......
...@@ -11,7 +11,7 @@ BEGIN { ...@@ -11,7 +11,7 @@ BEGIN {
} }
eval { unlink 't/userdb.db' }; eval { unlink 't/userdb.db' };
my $maintests = 22; my $maintests = 23;
my $debug = 'error'; my $debug = 'error';
my ( $issuer, $sp, $res ); my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] ); my %handlerOR = ( issuer => [], sp => [] );
...@@ -132,6 +132,10 @@ SKIP: { ...@@ -132,6 +132,10 @@ SKIP: {
expectRedirection( $res, qr#^http://auth.sp.com/\?(ticket=[^&]+)$# ); expectRedirection( $res, qr#^http://auth.sp.com/\?(ticket=[^&]+)$# );
my $idpId = expectCookie($res); my $idpId = expectCookie($res);
# Expect pdata to be cleared
$pdata = expectCookie( $res, 'lemonldappdata' );
ok( $pdata !~ 'issuerRequestsaml', 'SAML request cleared from pdata' );
# Back to SP # Back to SP
switch ('sp'); switch ('sp');
......
...@@ -11,7 +11,7 @@ BEGIN { ...@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm'; require 't/saml-lib.pm';
} }
my $maintests = 12; my $maintests = 13;
my $debug = 'error'; my $debug = 'error';
my ( $idp, $proxy, $app, $res ); my ( $idp, $proxy, $app, $res );
my %handlerOR = ( idp => [], proxy => [], app => [] ); my %handlerOR = ( idp => [], proxy => [], app => [] );
...@@ -105,7 +105,7 @@ SKIP: { ...@@ -105,7 +105,7 @@ SKIP: {
ok( ok(
$res = $proxy->_get( $res = $proxy->_get(
"/", "/",
query => "idp=".uri_escape("http://auth.idp.com/saml/metadata"), query => "idp=" . uri_escape("http://auth.idp.com/saml/metadata"),
accept => 'text/html', accept => 'text/html',
cookie => $proxyPdata, cookie => $proxyPdata,
), ),
...@@ -156,6 +156,10 @@ SKIP: { ...@@ -156,6 +156,10 @@ SKIP: {
$query =~ s/\+/%2B/g; $query =~ s/\+/%2B/g;
my $idpId = expectCookie($res); my $idpId = expectCookie($res);
# Expect pdata to be cleared
$idpPdata = expectCookie( $res, 'lemonldappdata' );
ok( $idpPdata !~ 'issuerRequestsaml', 'SAML request cleared from pdata' );
# Post SAML response # Post SAML response
switch ('proxy'); switch ('proxy');
ok( ok(
...@@ -330,9 +334,9 @@ sub proxy { ...@@ -330,9 +334,9 @@ sub proxy {
issuerDBCASActivation => 1, issuerDBCASActivation => 1,
casAttr => 'uid', casAttr => 'uid',
casAttributes => { cn => 'cn', uid => 'uid', mail => 'mail', }, casAttributes => { cn => 'cn', uid => 'uid', mail => 'mail', },
casAccessControlPolicy => 'none', casAccessControlPolicy => 'none',
multiValuesSeparator => ';', multiValuesSeparator => ';',
samlDiscoveryProtocolURL => 'http://discovery.example.com/', samlDiscoveryProtocolURL => 'http://discovery.example.com/',
samlDiscoveryProtocolActivation => 1, samlDiscoveryProtocolActivation => 1,
samlIDPMetaDataExportedAttributes => { samlIDPMetaDataExportedAttributes => {
idp => { idp => {
......
...@@ -11,7 +11,7 @@ BEGIN { ...@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm'; require 't/saml-lib.pm';
} }
my $maintests = 11; my $maintests = 12;
my $debug = 'error'; my $debug = 'error';
my ( $idp, $proxy, $app, $res ); my ( $idp, $proxy, $app, $res );
my %handlerOR = ( idp => [], proxy => [], app => [] ); my %handlerOR = ( idp => [], proxy => [], app => [] );
...@@ -141,6 +141,10 @@ SKIP: { ...@@ -141,6 +141,10 @@ SKIP: {
$query =~ s/\+/%2B/g; $query =~ s/\+/%2B/g;
my $idpId = expectCookie($res); my $idpId = expectCookie($res);
# Expect pdata to be cleared
$idpPdata = expectCookie( $res, 'lemonldappdata' );
ok( $idpPdata !~ 'issuerRequestsaml', 'SAML request cleared from pdata' );
# Post SAML response # Post SAML response
switch ('proxy'); switch ('proxy');
ok( ok(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment