lemonldap-ng/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app.t

use lib 'inc';
use Test::More;    # skip_all => 'CAS is in rebuild';
use strict;
use IO::String;
use LWP::UserAgent;
use LWP::Protocol::PSGI;
use MIME::Base64;

BEGIN {
    require 't/test-lib.pm';
}

my $debug = 'error';
my ( $issuer, $sp, $res );

eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);

# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
    sub {
        my $req = Plack::Request->new(@_);
        ok( $req->uri =~ m#http://auth.((?:id|s)p).com([^\?]*)(?:\?(.*))?$#,
            'SOAP request' );
        my $host  = $1;
        my $url   = $2;
        my $query = $3;
        my $res;
        my $client = ( $host eq 'idp' ? $issuer : $sp );
        if ( $req->method eq 'POST' ) {
            my $s = $req->content;
            ok(
                $res = $client->_post(
                    $url, IO::String->new($s),
                    length => length($s),
                    query  => $query,
                    type   => 'application/xml',
                ),
                "Execute POST request to $url"
            );
        }
        else {
            ok(
                $res = $client->_get(
                    $url,
                    type  => 'application/xml',
                    query => $query,
                ),
                "Execute request to $url"
            );
        }
        expectOK($res);
        ok( getHeader( $res, 'Content-Type' ) =~ m#xml#, 'Content is XML' )
          or explain( $res->[1], 'Content-Type => application/xml' );
        count(3);
        return $res;
    }
);

$issuer = register( 'issuer', \&issuer );
$sp     = register( 'sp',     \&sp );

# Simple SP access
ok(
    $res = $sp->_get(
        '/', accept => 'text/html',
    ),
    'Unauth SP request'
);
count(1);
expectRedirection( $res,
    'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );

# Query IdP
switch ('issuer');
ok(
    $res = $issuer->_get(
        '/cas/login',
        query  => 'service=http://auth.sp.com/',
        accept => 'text/html'
    ),
    'Query CAS server'
);
count(1);
expectOK($res);
my $pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );

# Try to authenticate with an unauthorized user to IdP
my $body = $res->[2]->[0];
$body =~ s/^.*?<form.*?>//s;
$body =~ s#</form>.*$##s;
my %fields =
  ( $body =~ /<input type="hidden".+?name="(.+?)".+?value="(.*?)"/sg );
$fields{user} = $fields{password} = 'dwho';
use URI::Escape;
my $s = join( '&', map { "$_=" . uri_escape( $fields{$_} ) } keys %fields );
ok(
    $res = $issuer->_post(
        '/cas/login',
        IO::String->new($s),
        cookie => $pdata,
        accept => 'text/html',
        length => length($s),
    ),
    'Post authentication'
);
count(1);
ok( $res->[2]->[0] =~ /trmsg="68"/, 'Reject reason is 68' )
  or print STDERR Dumper( $res->[2]->[0] );
count(1);

# Simple SP access
ok(
    $res = $sp->_get(
        '/', accept => 'text/html',
    ),
    'Unauth SP request'
);
count(1);
expectRedirection( $res,
    'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );

# Query IdP
switch ('issuer');
ok(
    $res = $issuer->_get(
        '/cas/login',
        query  => 'service=http://auth.sp.com/',
        accept => 'text/html'
    ),
    'Query CAS server'
);
count(1);
expectOK($res);
$pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );

# Try to authenticate with an authorized to IdP
$body = $res->[2]->[0];
$body =~ s/^.*?<form.*?>//s;
$body =~ s#</form>.*$##s;
%fields = ( $body =~ /<input type="hidden".+?name="(.+?)".+?value="(.*?)"/sg );
$fields{user} = $fields{password} = 'french';
use URI::Escape;
$s = join( '&', map { "$_=" . uri_escape( $fields{$_} ) } keys %fields );
ok(
    $res = $issuer->_post(
        '/cas/login',
        IO::String->new($s),
        cookie => $pdata,
        accept => 'text/html',
        length => length($s),
    ),
    'Post authentication'
);
count(1);
my ($query) =
  expectRedirection( $res, qr#^http://auth.sp.com/\?(ticket=[^&]+)$# );
my $idpId = expectCookie($res);

# Back to SP
switch ('sp');
ok( $res = $sp->_get( '/', query => $query, accept => 'text/html' ),
    'Query SP with ticket' );
count(1);
my $spId = expectCookie($res);

# Test authentication
ok( $res = $sp->_get( '/', cookie => "lemonldap=$spId" ), 'Get / on SP' );
count(1);
expectOK($res);
expectAuthenticatedAs( $res, 'french' );

# Test attributes
ok( $res = $sp->_get("/sessions/global/$spId"), 'Get UTF-8' );
expectOK($res);
ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
  or print STDERR $@;
ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
  or explain( $res, 'cn => Frédéric Accents' );
count(3);

# Logout initiated by SP
ok(
    $res = $sp->_get(
        '/',
        query  => 'logout',
        cookie => "lemonldap=$spId",
        accept => 'text/html'
    ),
    'Query SP for logout'
);
count(1);
expectOK($res);
ok(
    $res->[2]->[0] =~ m#iframe src="http://auth.idp.com(/cas/logout)\?(.+?)"#s,
    'Found iframe'
);
count(1);

# Query IdP with iframe src
my $url = $1;
$query = $2;
expectCspChildOK( $res, "auth.idp.com" );

switch ('issuer');
ok(
    $res = $issuer->_get(
        $url,
        query  => $query,
        accept => 'text/html',
        cookie => "lemonldap=$idpId"
    ),
    'Get iframe from IdP'
);
count(1);
expectRedirection( $res, 'http://auth.sp.com/?logout' );
my $h = getHeader( $res, 'Content-Security-Policy' );
ok( ( not $h or $h !~ /frame-ancestors/ ), ' Frame can be embedded' )
  or explain( $res->[1],
    'Content-Security-Policy does not contain a frame-ancestors' );
count(1);

# Verify that user has been disconnected
ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ), 'Query IdP' );
count(1);
expectReject($res);

switch ('sp');
ok(
    $res =
      $sp->_get( '/', accept => 'text/html', cookie => "lemonldap=$idpId" ),
    'Query IdP'
);
count(1);
expectRedirection( $res,
    'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );

clean_sessions();
done_testing( count() );

sub issuer {
    return LLNG::Manager::Test->new( {
            ini => {
                logLevel                   => $debug,
                domain                     => 'idp.com',
                portal                     => 'http://auth.idp.com',
                authentication             => 'Demo',
                userDB                     => 'Same',
                issuerDBCASActivation      => 1,
                issuerDBCASRule            => '$uid eq "french"',
                casAttr                    => 'uid',
                casAccessControlPolicy     => 'error',
                multiValuesSeparator       => ';',
                casAppMetaDataExportedVars => {
                    sp => {
                        cn   => 'cn',
                        mail => 'mail',
                        uid  => 'uid',
                    }
                },
                casAppMetaDataOptions => {
                    sp => {
                        casAppMetaDataOptionsService => 'http://auth.sp.com',
                    },
                    sp2 => {
                        casAppMetaDataOptionsService => 'http://auth.sp2.com',
                    },
                },
            }
        }
    );
}

sub sp {
    return LLNG::Manager::Test->new( {
            ini => {
                logLevel              => $debug,
                domain                => 'sp.com',
                portal                => 'http://auth.sp.com',
                authentication        => 'CAS',
                userDB                => 'CAS',
                restSessionServer     => 1,
                issuerDBCASActivation => 0,
                multiValuesSeparator  => ';',
                exportedVars          => {
                    cn => 'cn',
                },
                casSrvMetaDataExportedVars => {
                    idp => {
                        cn   => 'cn',
                        mail => 'mail',
                        uid  => 'uid',
                    }
                },
                casSrvMetaDataOptions => {
                    idp => {
                        casSrvMetaDataOptionsUrl => 'http://auth.idp.com/cas',
                        casSrvMetaDataOptionsGateway => 0,
                    }
                },
            },
        }
    );
}
Improve Debian autopkgtest tests 2018-09-05 22:24:23 +02:00			`use lib 'inc';`
Auth::CAS works (#1183) 2017-04-13 09:28:15 +02:00			`use Test::More; # skip_all => 'CAS is in rebuild';`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`use strict;`
			`use IO::String;`
Use inc::LWP::Protocol::PSGI in tests instead of redefining LWP::UserAgent methods (#595) 2018-04-09 22:56:14 +02:00			`use LWP::UserAgent;`
Improve Debian autopkgtest tests 2018-09-05 22:24:23 +02:00			`use LWP::Protocol::PSGI;`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`use MIME::Base64;`

			`BEGIN {`
			`require 't/test-lib.pm';`
			`}`

Use App ExportedVars if defined (#1183) 2017-04-14 09:40:01 +02:00			`my $debug = 'error';`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`my ( $issuer, $sp, $res );`

Fix Perl dependencies (see RT#129960) 2019-07-02 08:55:56 +02:00			`eval { require XML::Simple };`
			`plan skip_all => "Missing dependencies: $@" if ($@);`

Use inc::LWP::Protocol::PSGI in tests instead of redefining LWP::UserAgent methods (#595) 2018-04-09 22:56:14 +02:00			`# Redefine LWP methods for tests`
			`LWP::Protocol::PSGI->register(`
			`sub {`
			`my $req = Plack::Request->new(@_);`
			`ok( $req->uri =~ m#http://auth.((?:id\|s)p).com([^\?])(?:\?(.))?$#,`
			`'SOAP request' );`
			`my $host = $1;`
			`my $url = $2;`
			`my $query = $3;`
			`my $res;`
			`my $client = ( $host eq 'idp' ? $issuer : $sp );`
			`if ( $req->method eq 'POST' ) {`
			`my $s = $req->content;`
			`ok(`
			`$res = $client->_post(`
			`$url, IO::String->new($s),`
			`length => length($s),`
			`query => $query,`
			`type => 'application/xml',`
			`),`
			`"Execute POST request to $url"`
			`);`
			`}`
			`else {`
			`ok(`
			`$res = $client->_get(`
			`$url,`
			`type => 'application/xml',`
			`query => $query,`
			`),`
			`"Execute request to $url"`
			`);`
			`}`
			`expectOK($res);`
			`ok( getHeader( $res, 'Content-Type' ) =~ m#xml#, 'Content is XML' )`
			`or explain( $res->[1], 'Content-Type => application/xml' );`
			`count(3);`
			`return $res;`
			`}`
			`);`
CAS in progress (#595) 2016-12-21 19:06:23 +01:00
Tidy 2020-02-20 23:34:02 +01:00			`$issuer = register( 'issuer', \&issuer );`
			`$sp = register( 'sp', \&sp );`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00
			`# Simple SP access`
			`ok(`
			`$res = $sp->_get(`
			`'/', accept => 'text/html',`
			`),`
			`'Unauth SP request'`
			`);`
			`count(1);`
			`expectRedirection( $res,`
			`'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );`

			`# Query IdP`
			`switch ('issuer');`
			`ok(`
			`$res = $issuer->_get(`
			`'/cas/login',`
			`query => 'service=http://auth.sp.com/',`
			`accept => 'text/html'`
			`),`
			`'Query CAS server'`
			`);`
			`count(1);`
			`expectOK($res);`
make tidy 2018-07-05 23:00:40 +02:00			`my $pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00
Improve unit test (#1625) 2019-02-10 22:29:50 +01:00			`# Try to authenticate with an unauthorized user to IdP`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00			`my $body = $res->[2]->[0];`
			`$body =~ s/^.?<form.?>//s;`
			`$body =~ s#</form>.*$##s;`
			`my %fields =`
			`( $body =~ /<input type="hidden".+?name="(.+?)".+?value="(.*?)"/sg );`
Improve unit test (#1625) 2019-02-10 22:29:50 +01:00			`$fields{user} = $fields{password} = 'dwho';`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00			`use URI::Escape;`
			`my $s = join( '&', map { "$_=" . uri_escape( $fields{$_} ) } keys %fields );`
			`ok(`
			`$res = $issuer->_post(`
			`'/cas/login',`
			`IO::String->new($s),`
Trying to use pdata for issuers (#1461) 2018-07-04 22:54:09 +02:00			`cookie => $pdata,`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00			`accept => 'text/html',`
			`length => length($s),`
			`),`
			`'Post authentication'`
			`);`
			`count(1);`
Improve unit test (#1625) 2019-02-10 22:29:50 +01:00			`ok( $res->[2]->[0] =~ /trmsg="68"/, 'Reject reason is 68' )`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`or print STDERR Dumper( $res->[2]->[0] );`
Improve unit test (#1625) 2019-02-10 22:29:50 +01:00			`count(1);`

			`# Simple SP access`
			`ok(`
			`$res = $sp->_get(`
			`'/', accept => 'text/html',`
			`),`
			`'Unauth SP request'`
			`);`
			`count(1);`
			`expectRedirection( $res,`
			`'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );`

			`# Query IdP`
			`switch ('issuer');`
			`ok(`
			`$res = $issuer->_get(`
			`'/cas/login',`
			`query => 'service=http://auth.sp.com/',`
			`accept => 'text/html'`
			`),`
			`'Query CAS server'`
			`);`
			`count(1);`
			`expectOK($res);`
			`$pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );`

			`# Try to authenticate with an authorized to IdP`
			`$body = $res->[2]->[0];`
			`$body =~ s/^.?<form.?>//s;`
			`$body =~ s#</form>.*$##s;`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`%fields = ( $body =~ /<input type="hidden".+?name="(.+?)".+?value="(.*?)"/sg );`
Improve unit test (#1625) 2019-02-10 22:29:50 +01:00			`$fields{user} = $fields{password} = 'french';`
			`use URI::Escape;`
			`$s = join( '&', map { "$_=" . uri_escape( $fields{$_} ) } keys %fields );`
			`ok(`
			`$res = $issuer->_post(`
			`'/cas/login',`
			`IO::String->new($s),`
			`cookie => $pdata,`
			`accept => 'text/html',`
			`length => length($s),`
			`),`
			`'Post authentication'`
			`);`
			`count(1);`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00			`my ($query) =`
			`expectRedirection( $res, qr#^http://auth.sp.com/\?(ticket=[^&]+)$# );`
			`my $idpId = expectCookie($res);`

			`# Back to SP`
			`switch ('sp');`
			`ok( $res = $sp->_get( '/', query => $query, accept => 'text/html' ),`
			`'Query SP with ticket' );`
			`count(1);`
			`my $spId = expectCookie($res);`

			`# Test authentication`
			`ok( $res = $sp->_get( '/', cookie => "lemonldap=$spId" ), 'Get / on SP' );`
			`count(1);`
			`expectOK($res);`
			`expectAuthenticatedAs( $res, 'french' );`

Add UserDB::CAS (#1183) 2017-04-13 21:36:25 +02:00			`# Test attributes`
			`ok( $res = $sp->_get("/sessions/global/$spId"), 'Get UTF-8' );`
			`expectOK($res);`
			`ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )`
perl tidy 2017-06-23 11:57:07 +02:00			`or print STDERR $@;`
Add UserDB::CAS (#1183) 2017-04-13 21:36:25 +02:00			`ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )`
perl tidy 2017-06-23 11:57:07 +02:00			`or explain( $res, 'cn => Frédéric Accents' );`
Add UserDB::CAS (#1183) 2017-04-13 21:36:25 +02:00			`count(3);`

Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00			`# Logout initiated by SP`
			`ok(`
			`$res = $sp->_get(`
			`'/',`
			`query => 'logout',`
			`cookie => "lemonldap=$spId",`
			`accept => 'text/html'`
			`),`
			`'Query SP for logout'`
			`);`
			`count(1);`
			`expectOK($res);`
			`ok(`
			`$res->[2]->[0] =~ m#iframe src="http://auth.idp.com(/cas/logout)\?(.+?)"#s,`
			`'Found iframe'`
			`);`
			`count(1);`

			`# Query IdP with iframe src`
			`my $url = $1;`
			`$query = $2;`
tidy 2022-02-16 17:43:29 +01:00			`expectCspChildOK( $res, "auth.idp.com" );`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00
			`switch ('issuer');`
			`ok(`
			`$res = $issuer->_get(`
			`$url,`
			`query => $query,`
			`accept => 'text/html',`
			`cookie => "lemonldap=$idpId"`
			`),`
			`'Get iframe from IdP'`
			`);`
			`count(1);`
Manage CAS logout service (#1298) 2017-09-11 17:26:44 +02:00			`expectRedirection( $res, 'http://auth.sp.com/?logout' );`
Use inc::LWP::Protocol::PSGI in tests instead of redefining LWP::UserAgent methods (#595) 2018-04-09 22:56:14 +02:00			`my $h = getHeader( $res, 'Content-Security-Policy' );`
			`ok( ( not $h or $h !~ /frame-ancestors/ ), ' Frame can be embedded' )`
Remove "skip" (#1183) 2017-03-29 21:50:43 +02:00			`or explain( $res->[1],`
			`'Content-Security-Policy does not contain a frame-ancestors' );`
			`count(1);`

			`# Verify that user has been disconnected`
			`ok( $res = $issuer->_get( '/', cookie => "lemonldap=$idpId" ), 'Query IdP' );`
			`count(1);`
			`expectReject($res);`

Verify SP logout (#1183) 2017-03-29 21:54:54 +02:00			`switch ('sp');`
			`ok(`
			`$res =`
			`$sp->_get( '/', accept => 'text/html', cookie => "lemonldap=$idpId" ),`
			`'Query IdP'`
			`);`
			`count(1);`
			`expectRedirection( $res,`
			`'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00
			`clean_sessions();`
			`done_testing( count() );`

			`sub issuer {`
tidy with new conf 2019-02-07 09:27:56 +01:00			`return LLNG::Manager::Test->new( {`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`ini => {`
perl tidy 2017-06-23 11:57:07 +02:00			`logLevel => $debug,`
			`domain => 'idp.com',`
			`portal => 'http://auth.idp.com',`
			`authentication => 'Demo',`
			`userDB => 'Same',`
			`issuerDBCASActivation => 1,`
Restore CAS activation global rule (#1625) 2019-02-06 22:16:34 +01:00			`issuerDBCASRule => '$uid eq "french"',`
perl tidy 2017-06-23 11:57:07 +02:00			`casAttr => 'uid',`
			`casAccessControlPolicy => 'error',`
			`multiValuesSeparator => ';',`
Use App ExportedVars if defined (#1183) 2017-04-14 09:40:01 +02:00			`casAppMetaDataExportedVars => {`
			`sp => {`
			`cn => 'cn',`
			`mail => 'mail',`
			`uid => 'uid',`
			`}`
			`},`
			`casAppMetaDataOptions => {`
			`sp => {`
			`casAppMetaDataOptionsService => 'http://auth.sp.com',`
Verify CAS with multiple app (#1183) 2017-04-16 11:47:32 +02:00			`},`
			`sp2 => {`
			`casAppMetaDataOptionsService => 'http://auth.sp2.com',`
			`},`
Use App ExportedVars if defined (#1183) 2017-04-14 09:40:01 +02:00			`},`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`}`
			`}`
			`);`
			`}`

			`sub sp {`
tidy with new conf 2019-02-07 09:27:56 +01:00			`return LLNG::Manager::Test->new( {`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`ini => {`
			`logLevel => $debug,`
			`domain => 'sp.com',`
			`portal => 'http://auth.sp.com',`
			`authentication => 'CAS',`
Add UserDB::CAS (#1183) 2017-04-13 21:36:25 +02:00			`userDB => 'CAS',`
Test for CAS IdP (#1118) 2017-03-02 22:05:59 +01:00			`restSessionServer => 1,`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`issuerDBCASActivation => 0,`
CAS in progress (#595) 2016-12-22 06:57:44 +01:00			`multiValuesSeparator => ';',`
Test for CAS IdP (#1118) 2017-03-02 22:05:59 +01:00			`exportedVars => {`
			`cn => 'cn',`
			`},`
Auth::CAS works (#1183) 2017-04-13 09:28:15 +02:00			`casSrvMetaDataExportedVars => {`
			`idp => {`
			`cn => 'cn',`
			`mail => 'mail',`
			`uid => 'uid',`
			`}`
			`},`
			`casSrvMetaDataOptions => {`
			`idp => {`
			`casSrvMetaDataOptionsUrl => 'http://auth.idp.com/cas',`
			`casSrvMetaDataOptionsGateway => 0,`
			`}`
			`},`
CAS in progress (#595) 2016-12-20 12:53:33 +01:00			`},`
			`}`
			`);`
			`}`