31-Auth-and-issuer-CAS-default.t 7.11 KB
Newer Older
1
use lib 'inc';
Xavier Guimard's avatar
Xavier Guimard committed
2
use Test::More;    # skip_all => 'CAS is in rebuild';
Xavier Guimard's avatar
Xavier Guimard committed
3 4
use strict;
use IO::String;
5
use LWP::UserAgent;
6
use LWP::Protocol::PSGI;
Xavier Guimard's avatar
Xavier Guimard committed
7 8 9 10 11 12
use MIME::Base64;

BEGIN {
    require 't/test-lib.pm';
}

13
my $debug = 'error';
Xavier Guimard's avatar
Xavier Guimard committed
14 15 16
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
    sub {
        my $req = Plack::Request->new(@_);
        ok( $req->uri =~ m#http://auth.((?:id|s)p).com([^\?]*)(?:\?(.*))?$#,
            'SOAP request' );
        my $host  = $1;
        my $url   = $2;
        my $query = $3;
        my $res;
        my $client = ( $host eq 'idp' ? $issuer : $sp );
        if ( $req->method eq 'POST' ) {
            my $s = $req->content;
            ok(
                $res = $client->_post(
                    $url, IO::String->new($s),
                    length => length($s),
                    query  => $query,
                    type   => 'application/xml',
                ),
                "Execute POST request to $url"
            );
        }
        else {
            ok(
                $res = $client->_get(
                    $url,
                    type  => 'application/xml',
                    query => $query,
                ),
                "Execute request to $url"
            );
        }
        expectOK($res);
        ok( getHeader( $res, 'Content-Type' ) =~ m#xml#, 'Content is XML' )
          or explain( $res->[1], 'Content-Type => application/xml' );
        count(3);
        return $res;
    }
);
Xavier Guimard's avatar
Xavier Guimard committed
57

Xavier Guimard's avatar
Xavier Guimard committed
58 59 60 61
ok( $issuer = issuer(), 'Issuer portal' );
$handlerOR{issuer} = \@Lemonldap::NG::Handler::Main::_onReload;
count(1);
switch ('sp');
Xavier Guimard's avatar
Xavier Guimard committed
62
&Lemonldap::NG::Handler::Main::cfgNum( 0, 0 );
Xavier Guimard's avatar
Xavier Guimard committed
63 64 65 66 67 68 69 70 71 72 73 74 75

ok( $sp = sp(), 'SP portal' );
count(1);
$handlerOR{sp} = \@Lemonldap::NG::Handler::Main::_onReload;

# Simple SP access
ok(
    $res = $sp->_get(
        '/', accept => 'text/html',
    ),
    'Unauth SP request'
);
count(1);
76 77
ok( expectCookie( $res, 'llngcasserver' ) eq 'idp', 'Get CAS server cookie' );
count(1);
Xavier Guimard's avatar
Xavier Guimard committed
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
expectRedirection( $res,
    'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );

# Query IdP
switch ('issuer');
ok(
    $res = $issuer->_get(
        '/cas/login',
        query  => 'service=http://auth.sp.com/',
        accept => 'text/html'
    ),
    'Query CAS server'
);
count(1);
expectOK($res);
Xavier Guimard's avatar
Xavier Guimard committed
93
my $pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );
Xavier Guimard's avatar
Xavier Guimard committed
94 95 96 97 98 99 100 101 102 103 104 105 106 107

# Try to authenticate to IdP
my $body = $res->[2]->[0];
$body =~ s/^.*?<form.*?>//s;
$body =~ s#</form>.*$##s;
my %fields =
  ( $body =~ /<input type="hidden".+?name="(.+?)".+?value="(.*?)"/sg );
$fields{user} = $fields{password} = 'french';
use URI::Escape;
my $s = join( '&', map { "$_=" . uri_escape( $fields{$_} ) } keys %fields );
ok(
    $res = $issuer->_post(
        '/cas/login',
        IO::String->new($s),
108
        cookie => $pdata,
Xavier Guimard's avatar
Xavier Guimard committed
109 110 111 112 113 114
        accept => 'text/html',
        length => length($s),
    ),
    'Post authentication'
);
count(1);
115
my $idpId = expectCookie($res);
Xavier Guimard's avatar
Xavier Guimard committed
116 117 118 119 120
my ($query) =
  expectRedirection( $res, qr#^http://auth.sp.com/\?(ticket=[^&]+)$# );

# Back to SP
switch ('sp');
121 122 123 124 125 126 127 128 129
ok(
    $res = $sp->_get(
        '/',
        query  => $query,
        accept => 'text/html',
        cookie => 'llngcasserver=idp',
    ),
    'Query SP with ticket'
);
Xavier Guimard's avatar
Xavier Guimard committed
130 131 132 133
count(1);
my $spId = expectCookie($res);

# Test authentication
134 135
ok( $res = $sp->_get( '/', cookie => "lemonldap=$spId,llngcasserver=idp" ),
    'Get / on SP' );
Xavier Guimard's avatar
Xavier Guimard committed
136 137 138 139
count(1);
expectOK($res);
expectAuthenticatedAs( $res, 'french' );

Xavier Guimard's avatar
Xavier Guimard committed
140 141 142 143
# Test attributes
ok( $res = $sp->_get("/sessions/global/$spId"), 'Get UTF-8' );
expectOK($res);
ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
144
  or print STDERR $@;
Xavier Guimard's avatar
Xavier Guimard committed
145
ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
146
  or explain( $res, 'cn => Frédéric Accents' );
Xavier Guimard's avatar
Xavier Guimard committed
147 148
count(3);

Xavier Guimard's avatar
Xavier Guimard committed
149 150 151 152 153
# Logout initiated by SP
ok(
    $res = $sp->_get(
        '/',
        query  => 'logout',
154
        cookie => "lemonldap=$spId,llngcasserver=idp",
Xavier Guimard's avatar
Xavier Guimard committed
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
        accept => 'text/html'
    ),
    'Query SP for logout'
);
count(1);
expectOK($res);
ok(
    $res->[2]->[0] =~ m#iframe src="http://auth.idp.com(/cas/logout)\?(.+?)"#s,
    'Found iframe'
);
count(1);

# Query IdP with iframe src
my $url = $1;
$query = $2;
ok( getHeader( $res, 'Content-Security-Policy' ) =~ /child-src auth.idp.com/,
    'Frame is authorizated' )
  or
  explain( $res->[1], 'Content-Security-Policy => ...child-src auth.idp.com' );
count(1);

switch ('issuer');
ok(
    $res = $issuer->_get(
        $url,
        query  => $query,
        accept => 'text/html',
        cookie => "lemonldap=$idpId"
    ),
    'Get iframe from IdP'
);
count(1);
187
expectRedirection( $res, 'http://auth.sp.com/?logout' );
188 189
my $h = getHeader( $res, 'Content-Security-Policy' );
ok( ( not $h or $h !~ /frame-ancestors/ ), ' Frame can be embedded' )
Xavier Guimard's avatar
Xavier Guimard committed
190 191 192 193 194 195 196 197 198
  or explain( $res->[1],
    'Content-Security-Policy does not contain a frame-ancestors' );
count(1);

# Verify that user has been disconnected
ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ), 'Query IdP' );
count(1);
expectReject($res);

199 200
switch ('sp');
ok(
201 202 203 204 205
    $res = $sp->_get(
        '/',
        accept => 'text/html',
        cookie => "lemonldap=$idpId,llngcasserver=idp"
    ),
206 207 208 209 210
    'Query IdP'
);
count(1);
expectRedirection( $res,
    'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );
Xavier Guimard's avatar
Xavier Guimard committed
211 212 213 214 215 216

clean_sessions();
done_testing( count() );

sub switch {
    my $type = shift;
217
    @Lemonldap::NG::Handler::Main::_onReload = @{
Xavier Guimard's avatar
Xavier Guimard committed
218 219 220 221 222 223 224 225 226 227 228 229 230
        $handlerOR{$type};
    };
}

sub issuer {
    return LLNG::Manager::Test->new(
        {
            ini => {
                logLevel               => $debug,
                templatesDir           => 'site/htdocs/static',
                domain                 => 'idp.com',
                portal                 => 'http://auth.idp.com',
                authentication         => 'Demo',
231
                userDB                 => 'Same',
Xavier Guimard's avatar
Xavier Guimard committed
232 233 234 235
                issuerDBCASActivation  => 1,
                casAttr                => 'uid',
                casAttributes          => { cn => 'cn', uid => 'uid', },
                casAccessControlPolicy => 'none',
Xavier Guimard's avatar
Xavier Guimard committed
236
                multiValuesSeparator   => ';',
Xavier Guimard's avatar
Xavier Guimard committed
237 238 239 240 241 242 243 244 245
            }
        }
    );
}

sub sp {
    return LLNG::Manager::Test->new(
        {
            ini => {
dcoutadeur dcoutadeur's avatar
dcoutadeur dcoutadeur committed
246 247 248 249 250 251 252 253
                logLevel                   => $debug,
                domain                     => 'sp.com',
                portal                     => 'http://auth.sp.com',
                authentication             => 'CAS',
                userDB                     => 'CAS',
                restSessionServer          => 1,
                issuerDBCASActivation      => 0,
                multiValuesSeparator       => ';',
Xavier Guimard's avatar
Xavier Guimard committed
254 255 256 257 258 259 260 261 262 263 264 265 266
                casSrvMetaDataExportedVars => {
                    idp => {
                        cn   => 'cn',
                        mail => 'mail',
                        uid  => 'uid',
                    }
                },
                casSrvMetaDataOptions => {
                    idp => {
                        casSrvMetaDataOptionsUrl => 'http://auth.idp.com/cas',
                        casSrvMetaDataOptionsGateway => 0,
                    }
                },
Xavier Guimard's avatar
Xavier Guimard committed
267 268 269 270
            },
        }
    );
}