lemonldap-ng/lemonldap-ng-portal/t/71-2F-U2F.t

use Test::More;
use strict;
use IO::String;

require 't/test-lib.pm';
my $maintests = 20;

SKIP: {
    eval { require Crypt::U2F::Server; require Authen::U2F::Tester };
    if ( $@ or $Crypt::U2F::Server::VERSION < 0.42 ) {
        skip 'Missing libraries', $maintests;
    }
    use_ok('Lemonldap::NG::Common::FormEncode');

    my $client = LLNG::Manager::Test->new( {
            ini => {
                logLevel            => 'error',
                u2fSelfRegistration => 1,
                u2fActivation       => 1,
                totp2fTTL           => 2,
                sfManagerRule       => '$uid eq "davros"',
                portalMainLogo      => 'common/logos/logo_llng_old.png',
            }
        }
    );
    my $res;

    # Try to authenticate
    # -------------------
    ok(
        $res = $client->_post(
            '/',
            IO::String->new('user=dwho&password=dwho'),
            length => 23
        ),
        'Auth query'
    );
    my $id = expectCookie($res);

    ok(
        $res = $client->_get(
            '/',
            cookie => "lemonldap=$id",
            accept => 'text/html'
        ),
        'Get Menu'
    );
    ok( $res->[2]->[0] !~ m%<span trspan="sfaManager">sfaManager</span>%,
        'sfaManager link not found' )
      or print STDERR Dumper( $res->[2]->[0] );

    # U2F form
    ok(
        $res = $client->_get(
            '/2fregisters',
            cookie => "lemonldap=$id",
            accept => 'text/html',
        ),
        'Form registration'
    );
    expectRedirection( $res, qr#/2fregisters/u$# );

    ok(
        $res = $client->_get(
            '/2fregisters/u',
            cookie => "lemonldap=$id",
            accept => 'text/html',
        ),
        'Form registration'
    );
    ok( $res->[2]->[0] =~ /u2fregistration\.(?:min\.)?js/, 'Found U2F js' );
    ok(
        $res->[2]->[0] =~ qr%<img src="/static/common/logos/logo_llng_old.png"%,
        'Found custom Main Logo'
    ) or print STDERR Dumper( $res->[2]->[0] );

    # Ajax registration request
    ok(
        $res = $client->_post(
            '/2fregisters/u/register', IO::String->new(''),
            accept => 'application/json',
            cookie => "lemonldap=$id",
            length => 0,
        ),
        'Get registration challenge'
    );
    expectOK($res);
    my $data;
    eval { $data = JSON::from_json( $res->[2]->[0] ) };
    ok( not($@), ' Content is JSON' )
      or explain( [ $@, $res->[2] ], 'JSON content' );
    ok( ( $data->{challenge} and $data->{appId} ), ' Get challenge and appId' )
      or explain( $data, 'challenge and appId' );

    # Build U2F tester
    my $tester = Authen::U2F::Tester->new(
        certificate => Crypt::OpenSSL::X509->new_from_string(
            '-----BEGIN CERTIFICATE-----
MIIB6DCCAY6gAwIBAgIJAJKuutkN2sAfMAoGCCqGSM49BAMCME8xCzAJBgNVBAYT
AlVTMQ4wDAYDVQQIDAVUZXhhczEaMBgGA1UECgwRVW50cnVzdGVkIFUyRiBPcmcx
FDASBgNVBAMMC3ZpcnR1YWwtdTJmMB4XDTE4MDMyODIwMTc1OVoXDTI3MTIyNjIw
MTc1OVowTzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRowGAYDVQQKDBFV
bnRydXN0ZWQgVTJGIE9yZzEUMBIGA1UEAwwLdmlydHVhbC11MmYwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQTij+9mI1FJdvKNHLeSQcOW4ob3prvIXuEGJMrQeJF
6OYcgwxrVqsmNMl5w45L7zx8ryovVOti/mtqkh2pQjtpo1MwUTAdBgNVHQ4EFgQU
QXKKf+rrZwA4WXDCU/Vebe4gYXEwHwYDVR0jBBgwFoAUQXKKf+rrZwA4WXDCU/Ve
be4gYXEwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEAiCdOEmw5
hknzHR1FoyFZKRrcJu17a1PGcqTFMJHTC70CIHeCZ8KVuuMIPjoofQd1l1E221rv
RJY1Oz1fUNbrIPsL
-----END CERTIFICATE-----', Crypt::OpenSSL::X509::FORMAT_PEM()
        ),
        key => Crypt::PK::ECC->new(
            \'-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOdbZw1swQIL+RZoDQ9zwjWY5UjA1NO81WWjwbmznUbgoAoGCCqGSM49
AwEHoUQDQgAEE4o/vZiNRSXbyjRy3kkHDluKG96a7yF7hBiTK0HiRejmHIMMa1ar
JjTJecOOS+88fK8qL1TrYv5rapIdqUI7aQ==
-----END EC PRIVATE KEY-----'
        ),
    );
    my $r = $tester->register( $data->{appId}, $data->{challenge} );
    ok( $r->is_success, ' Good challenge value' )
      or diag( $r->error_message );

    my $registrationData = JSON::to_json( {
            clientData       => $r->client_data,
            errorCode        => 0,
            registrationData => $r->registration_data,
            version          => "U2F_V2"
        }
    );
    my ( $host, $url, $query );
    $query = Lemonldap::NG::Common::FormEncode::build_urlencoded(
        registration => $registrationData,
        challenge    => $res->[2]->[0],
    );

    ok(
        $res = $client->_post(
            '/2fregisters/u/registration', IO::String->new($query),
            length => length($query),
            accept => 'application/json',
            cookie => "lemonldap=$id",
        ),
        'Push registration data'
    );
    expectOK($res);
    eval { $data = JSON::from_json( $res->[2]->[0] ) };
    ok( not($@), ' Content is JSON' )
      or explain( [ $@, $res->[2] ], 'JSON content' );
    ok( $data->{result} == 1, 'Key is registered' )
      or explain( $data, '"result":1' );

    # Try to sign-in
    $client->logout($id);
    ok(
        $res = $client->_post(
            '/',
            IO::String->new('user=dwho&password=dwho'),
            length => 23,
            accept => 'text/html',
        ),
        'Auth query'
    );
    ( $host, $url, $query ) = expectForm( $res, undef, '/u2fcheck', 'token' );

    # Get challenge
    ok( $res->[2]->[0] =~ /^.*"keyHandle".*$/m, ' get keyHandle' );
    $data = $&;
    eval { $data = JSON::from_json($data) };
    ok( not($@), ' Content is JSON' )
      or explain( [ $@, $data ], 'JSON content' );

    # Build U2F signature
    $r =
      $tester->sign( $data->{appId}, $data->{challenge},
        $data->{registeredKeys}->[0]->{keyHandle} );
    ok( $r->is_success, ' Good challenge value' )
      or diag( $r->error_message );
    my $sign = JSON::to_json( {
            errorCode     => 0,
            signatureData => $r->signature_data,
            clientData    => $r->client_data,
            keyHandle     => $data->{registeredKeys}->[0]->{keyHandle},
        }
    );
    $sign =
      Lemonldap::NG::Common::FormEncode::build_urlencoded( signature => $sign );
    $query =~ s/signature=/$sign/e;
    $query =~ s/challenge=/challenge=$data->{challenge}/;

    # POST result
    ok(
        $res = $client->_post(
            '/u2fcheck',
            IO::String->new($query),
            length => length($query),
        ),
        'Push U2F signature'
    );

    # See https://github.com/mschout/perl-authen-u2f-tester/issues/2
    if ( $Authen::U2F::Tester::VERSION >= 0.03 ) {
        $id = expectCookie($res);
        $client->logout($id);
    }
    else {
        count(1);
        pass(
'Authen::2F::Tester-0.02 signatures are not recognized by Yubico library'
        );
    }
}

count($maintests);
clean_sessions();
done_testing( count() );
Add partial U2F test 2018-04-09 11:30:45 +02:00			`use Test::More;`
			`use strict;`
			`use IO::String;`

			`require 't/test-lib.pm';`
Improve unit tests (#2185) 2020-04-30 22:26:41 +02:00			`my $maintests = 20;`
Add partial U2F test 2018-04-09 11:30:45 +02:00
			`SKIP: {`
Update U2F test (#1148) 2018-04-12 18:38:57 +02:00			`eval { require Crypt::U2F::Server; require Authen::U2F::Tester };`
			`if ( $@ or $Crypt::U2F::Server::VERSION < 0.42 ) {`
			`skip 'Missing libraries', $maintests;`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`}`
			`use_ok('Lemonldap::NG::Common::FormEncode');`

tidy with new conf 2019-02-07 09:27:56 +01:00			`my $client = LLNG::Manager::Test->new( {`
make tidy 2018-11-26 14:40:21 +01:00			`ini => {`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`logLevel => 'error',`
			`u2fSelfRegistration => 1,`
			`u2fActivation => 1,`
Improve unit tests (#1782) 2019-06-12 22:00:24 +02:00			`totp2fTTL => 2,`
Improve unit tests (#2185) 2020-04-30 22:26:41 +02:00			`sfManagerRule => '$uid eq "davros"',`
			`portalMainLogo => 'common/logos/logo_llng_old.png',`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`}`
			`}`
			`);`
			`my $res;`

			`# Try to authenticate`
			`# -------------------`
make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res = $client->_post(`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`'/',`
			`IO::String->new('user=dwho&password=dwho'),`
			`length => 23`
			`),`
			`'Auth query'`
			`);`
			`my $id = expectCookie($res);`

Improve unit tests (#2185) 2020-04-30 22:26:41 +02:00			`ok(`
			`$res = $client->_get(`
			`'/',`
			`cookie => "lemonldap=$id",`
			`accept => 'text/html'`
			`),`
			`'Get Menu'`
			`);`
			`ok( $res->[2]->[0] !~ m%<span trspan="sfaManager">sfaManager</span>%,`
Better fix and improve unit test (#2337) 2020-10-03 15:05:13 +02:00			`'sfaManager link not found' )`
Improve unit tests (#2185) 2020-04-30 22:26:41 +02:00			`or print STDERR Dumper( $res->[2]->[0] );`

Reorganize tests 2018-04-16 20:06:32 +02:00			`# U2F form`
make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res = $client->_get(`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`'/2fregisters',`
			`cookie => "lemonldap=$id",`
			`accept => 'text/html',`
			`),`
			`'Form registration'`
			`);`
			`expectRedirection( $res, qr#/2fregisters/u$# );`

make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res = $client->_get(`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`'/2fregisters/u',`
			`cookie => "lemonldap=$id",`
			`accept => 'text/html',`
			`),`
			`'Form registration'`
			`);`
			`ok( $res->[2]->[0] =~ /u2fregistration\.(?:min\.)?js/, 'Found U2F js' );`
make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res->[2]->[0] =~ qr%<img src="/static/common/logos/logo_llng_old.png"%,`
			`'Found custom Main Logo'`
			`) or print STDERR Dumper( $res->[2]->[0] );`
Add partial U2F test 2018-04-09 11:30:45 +02:00
			`# Ajax registration request`
make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res = $client->_post(`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`'/2fregisters/u/register', IO::String->new(''),`
			`accept => 'application/json',`
			`cookie => "lemonldap=$id",`
			`length => 0,`
			`),`
			`'Get registration challenge'`
			`);`
			`expectOK($res);`
			`my $data;`
			`eval { $data = JSON::from_json( $res->[2]->[0] ) };`
			`ok( not($@), ' Content is JSON' )`
make tidy 2018-11-26 14:40:21 +01:00			`or explain( [ $@, $res->[2] ], 'JSON content' );`
			`ok( ( $data->{challenge} and $data->{appId} ), ' Get challenge and appId' )`
			`or explain( $data, 'challenge and appId' );`
Add partial U2F test 2018-04-09 11:30:45 +02:00
			`# Build U2F tester`
			`my $tester = Authen::U2F::Tester->new(`
			`certificate => Crypt::OpenSSL::X509->new_from_string(`
			`'-----BEGIN CERTIFICATE-----`
			`MIIB6DCCAY6gAwIBAgIJAJKuutkN2sAfMAoGCCqGSM49BAMCME8xCzAJBgNVBAYT`
			`AlVTMQ4wDAYDVQQIDAVUZXhhczEaMBgGA1UECgwRVW50cnVzdGVkIFUyRiBPcmcx`
			`FDASBgNVBAMMC3ZpcnR1YWwtdTJmMB4XDTE4MDMyODIwMTc1OVoXDTI3MTIyNjIw`
			`MTc1OVowTzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRowGAYDVQQKDBFV`
			`bnRydXN0ZWQgVTJGIE9yZzEUMBIGA1UEAwwLdmlydHVhbC11MmYwWTATBgcqhkjO`
			`PQIBBggqhkjOPQMBBwNCAAQTij+9mI1FJdvKNHLeSQcOW4ob3prvIXuEGJMrQeJF`
			`6OYcgwxrVqsmNMl5w45L7zx8ryovVOti/mtqkh2pQjtpo1MwUTAdBgNVHQ4EFgQU`
			`QXKKf+rrZwA4WXDCU/Vebe4gYXEwHwYDVR0jBBgwFoAUQXKKf+rrZwA4WXDCU/Ve`
			`be4gYXEwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEAiCdOEmw5`
			`hknzHR1FoyFZKRrcJu17a1PGcqTFMJHTC70CIHeCZ8KVuuMIPjoofQd1l1E221rv`
			`RJY1Oz1fUNbrIPsL`
			`-----END CERTIFICATE-----', Crypt::OpenSSL::X509::FORMAT_PEM()`
			`),`
			`key => Crypt::PK::ECC->new(`
			`\'-----BEGIN EC PRIVATE KEY-----`
			`MHcCAQEEIOdbZw1swQIL+RZoDQ9zwjWY5UjA1NO81WWjwbmznUbgoAoGCCqGSM49`
			`AwEHoUQDQgAEE4o/vZiNRSXbyjRy3kkHDluKG96a7yF7hBiTK0HiRejmHIMMa1ar`
			`JjTJecOOS+88fK8qL1TrYv5rapIdqUI7aQ==`
			`-----END EC PRIVATE KEY-----'`
			`),`
			`);`
			`my $r = $tester->register( $data->{appId}, $data->{challenge} );`
Improve unit test (#1515) test main logo link 2018-10-13 22:26:09 +02:00			`ok( $r->is_success, ' Good challenge value' )`
make tidy 2018-11-26 14:40:21 +01:00			`or diag( $r->error_message );`
Add partial U2F test 2018-04-09 11:30:45 +02:00
tidy with new conf 2019-02-07 09:27:56 +01:00			`my $registrationData = JSON::to_json( {`
make tidy 2018-11-26 14:40:21 +01:00			`clientData => $r->client_data,`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`errorCode => 0,`
			`registrationData => $r->registration_data,`
			`version => "U2F_V2"`
			`}`
			`);`
			`my ( $host, $url, $query );`
			`$query = Lemonldap::NG::Common::FormEncode::build_urlencoded(`
			`registration => $registrationData,`
			`challenge => $res->[2]->[0],`
			`);`

make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res = $client->_post(`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`'/2fregisters/u/registration', IO::String->new($query),`
			`length => length($query),`
			`accept => 'application/json',`
			`cookie => "lemonldap=$id",`
			`),`
			`'Push registration data'`
			`);`
			`expectOK($res);`
			`eval { $data = JSON::from_json( $res->[2]->[0] ) };`
			`ok( not($@), ' Content is JSON' )`
make tidy 2018-11-26 14:40:21 +01:00			`or explain( [ $@, $res->[2] ], 'JSON content' );`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`ok( $data->{result} == 1, 'Key is registered' )`
make tidy 2018-11-26 14:40:21 +01:00			`or explain( $data, '"result":1' );`
Add partial U2F test 2018-04-09 11:30:45 +02:00
Fix typo 2018-06-13 21:51:01 +02:00			`# Try to sign-in`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`$client->logout($id);`
make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res = $client->_post(`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`'/',`
			`IO::String->new('user=dwho&password=dwho'),`
			`length => 23,`
			`accept => 'text/html',`
			`),`
			`'Auth query'`
			`);`
			`( $host, $url, $query ) = expectForm( $res, undef, '/u2fcheck', 'token' );`

			`# Get challenge`
Propage @maudoux changes to UTOTP (#1391) 2018-04-17 23:01:34 +02:00			`ok( $res->[2]->[0] =~ /^."keyHandle".$/m, ' get keyHandle' );`
			`$data = $&;`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`eval { $data = JSON::from_json($data) };`
			`ok( not($@), ' Content is JSON' )`
make tidy 2018-11-26 14:40:21 +01:00			`or explain( [ $@, $data ], 'JSON content' );`
Add partial U2F test 2018-04-09 11:30:45 +02:00
			`# Build U2F signature`
make tidy 2018-11-26 14:40:21 +01:00			`$r =`
			`$tester->sign( $data->{appId}, $data->{challenge},`
Propage @maudoux changes to UTOTP (#1391) 2018-04-17 23:01:34 +02:00			`$data->{registeredKeys}->[0]->{keyHandle} );`
Improve unit test (#1515) test main logo link 2018-10-13 22:26:09 +02:00			`ok( $r->is_success, ' Good challenge value' )`
make tidy 2018-11-26 14:40:21 +01:00			`or diag( $r->error_message );`
tidy with new conf 2019-02-07 09:27:56 +01:00			`my $sign = JSON::to_json( {`
make tidy 2018-11-26 14:40:21 +01:00			`errorCode => 0,`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`signatureData => $r->signature_data,`
			`clientData => $r->client_data,`
Apply U2F.patch 2018-04-17 18:08:30 +02:00			`keyHandle => $data->{registeredKeys}->[0]->{keyHandle},`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`}`
			`);`
make tidy 2018-11-26 14:40:21 +01:00			`$sign =`
			`Lemonldap::NG::Common::FormEncode::build_urlencoded( signature => $sign );`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`$query =~ s/signature=/$sign/e;`
			`$query =~ s/challenge=/challenge=$data->{challenge}/;`

			`# POST result`
make tidy 2018-11-26 14:40:21 +01:00			`ok(`
			`$res = $client->_post(`
			`'/u2fcheck',`
			`IO::String->new($query),`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`length => length($query),`
			`),`
			`'Push U2F signature'`
			`);`
Update manifest (#1148) 2018-04-09 13:58:50 +02:00
			`# See https://github.com/mschout/perl-authen-u2f-tester/issues/2`
Fix U2F test (#1148) 2018-04-09 20:29:44 +02:00			`if ( $Authen::U2F::Tester::VERSION >= 0.03 ) {`
Improve unit tests (#1796) 2019-06-14 23:03:38 +02:00			`$id = expectCookie($res);`
			`$client->logout($id);`
Fix U2F test (#1148) 2018-04-09 20:29:44 +02:00			`}`
			`else {`
			`count(1);`
			`pass(`
make tidy 2018-11-26 14:40:21 +01:00			`'Authen::2F::Tester-0.02 signatures are not recognized by Yubico library'`
Fix U2F test (#1148) 2018-04-09 20:29:44 +02:00			`);`
			`}`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`}`

Fix unit test with skip() (#2333) 2020-10-03 13:31:20 +02:00			`count($maintests);`
Add partial U2F test 2018-04-09 11:30:45 +02:00			`clean_sessions();`
			`done_testing( count() );`