Commit c550606f authored by Yadd's avatar Yadd
Browse files

SAML in progress (#595)

parent abb61aff
......@@ -9,6 +9,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_SAML_ART_ERROR
PE_SAML_CONDITIONS_ERROR
PE_SAML_DESTINATION_ERROR
PE_SAML_ERROR
PM_SAML_IDPCHOOSEN
PE_SAML_IDPSSOINITIATED_NOTALLOWED
PE_SAML_SESSION_ERROR
......@@ -379,10 +380,7 @@ sub extractFormInfo {
# This should not happen
$self->lmLog( "SSO request or response was not found", 'error' );
# Redirect user
$req->mustRedirect(1);
$req->steps( [] );
return PE_OK;
return PE_SAML_ERROR;
}
}
......
......@@ -634,9 +634,8 @@ sub run {
->set_subject_name_id( $login->nameIdentifier );
# Set basic conditions
my $oneTimeUse =
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsOneTimeUse};
my $oneTimeUse = $self->conf->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsOneTimeUse} // 0;
my $conditionNotOnOrAfter = $notOnOrAfterTimeout || "86400";
eval {
......@@ -704,7 +703,7 @@ sub run {
# Signature
my $signSSOMessage =
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsSignSSOMessage};
->{samlSPMetaDataOptionsSignSSOMessage} // -1;
if ( $signSSOMessage == 0 ) {
$self->lmLog( "SSO response will not be signed", 'debug' );
......@@ -720,8 +719,8 @@ sub run {
}
# log that a SAML authn response is build
my $user = $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
my $nameIDLog;
my $user = $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
my $nameIDLog = '';
foreach my $format (qw(persistent transient)) {
if ( $login->nameIdentifier->Format eq
$self->getNameIDFormat($format) )
......
......@@ -4,6 +4,7 @@ use strict;
use Mouse;
use Lemonldap::NG::Common::Conf::SAML::Metadata;
use Lemonldap::NG::Common::Session;
use LWP::UserAgent;
use XML::Simple;
use MIME::Base64;
use String::Random;
......@@ -21,6 +22,20 @@ has lassoServer => ( is => 'rw' );
has spList => ( is => 'rw', default => sub { {} } );
has idpList => ( is => 'rw', default => sub { {} } );
# return LWP::UserAgent object
has ua => (
is => 'rw',
lasy => 1,
builder => sub {
# TODO : LWP options to use a proxy for example
my $ua = LWP::UserAgent->new();
push @{ $ua->requests_redirectable }, 'POST';
$ua->env_proxy();
return $ua;
}
);
# INITIALIZATION
BEGIN {
......
......@@ -4,7 +4,7 @@ use IO::String;
require 't/test-lib.pm';
my $maintests = 14;
my $maintests = 19;
my $debug = 'debug';
my $res;
my %handlerOR = ( issuer => [], sp => [] );
......@@ -25,7 +25,7 @@ SKIP: {
ok( $sp = sp(), 'SP portal' );
$handlerOR{sp} = \@Lemonldap::NG::Handler::Main::Reload::_onReload;
# Simple SP login
# Simple SP access
my $res;
ok(
$res = $sp->_get(
......@@ -95,6 +95,8 @@ SKIP: {
'Found IdP URL'
);
my $url = $1;
# Push SAML request to IdP
switch ('issuer');
my $s = "SAMLRequest=$samlReq";
ok(
......@@ -107,6 +109,8 @@ SKIP: {
'Post SAML request to IdP'
);
ok( $res->[0] == 200, 'Return code is 200' );
# Try to authenticate to IdP
my $body = $res->[2]->[0];
$body =~ s/^.*?<form.*?>//s;
$body =~ s#</form>.*$##s;
......@@ -120,12 +124,39 @@ SKIP: {
$url,
IO::String->new($s),
accept => 'text/html',
length => length($s)
length => length($s),
),
'Post authentication'
);
ok( $res->[0] == 200, 'Response is 200' ) or explain( $res->[0], 200 );
$cookies = $sp->getCookies($res);
my $idpId;
ok( $idpId = $cookies->{lemonldap}, 'Get cookie' )
or explain( $res, 'Set-Cookie: something' );
# Post SAML artifact to SP
ok( $res->[2]->[0] =~ m#<form.+?action="http://auth.sp.com(.*?)".+?method="post"#,
'Form method is POST' );
$url = $1;
ok(
$res->[2]->[0] =~
/<input type="hidden".+?name="SAMLart".+?value="(.+?)"/s,
'Found SAML artifact'
);
my $samlArt = $1;
switch ('sp');
$s = "SAMLart=$samlArt";
ok(
$res = $sp->_post(
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post artifact to SP'
);
#print STDERR Dumper($res);
#print STDERR Dumper( $res, $url, $s );
}
count($maintests);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment