2017-04-06 23:25:41 +02:00
|
|
|
use Test::More;
|
|
|
|
use strict;
|
|
|
|
|
|
|
|
BEGIN {
|
|
|
|
require 't/test-lib.pm';
|
|
|
|
eval "use GSSAPI";
|
|
|
|
}
|
|
|
|
|
2020-11-04 15:21:46 +01:00
|
|
|
my $maintests = 14;
|
2017-06-23 11:57:07 +02:00
|
|
|
my $debug = 'error';
|
2017-04-06 23:25:41 +02:00
|
|
|
|
|
|
|
SKIP: {
|
|
|
|
eval "require GSSAPI";
|
|
|
|
if ($@) {
|
|
|
|
skip 'GSSAPI not found', $maintests;
|
|
|
|
}
|
2019-02-07 09:27:56 +01:00
|
|
|
my $client = LLNG::Manager::Test->new( {
|
2019-02-05 23:12:17 +01:00
|
|
|
ini => {
|
2017-04-06 23:25:41 +02:00
|
|
|
logLevel => $debug,
|
|
|
|
useSafeJail => 1,
|
|
|
|
authentication => 'Kerberos',
|
|
|
|
userDB => 'Null',
|
|
|
|
krbKeytab => '/etc/keytab',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
my $res;
|
|
|
|
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Simple access' );
|
|
|
|
ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 );
|
|
|
|
ok( getHeader( $res, 'WWW-Authenticate' ) eq 'Negotiate',
|
|
|
|
'Get negotiate header' )
|
2019-02-05 23:12:17 +01:00
|
|
|
or explain( $res->[1], 'WWW-Authenticate => Negotiate' );
|
2018-06-05 23:13:18 +02:00
|
|
|
&Lemonldap::NG::Handler::Main::cfgNum( 0, 0 );
|
2019-02-07 09:27:56 +01:00
|
|
|
$client = LLNG::Manager::Test->new( {
|
2019-02-05 23:12:17 +01:00
|
|
|
ini => {
|
2017-04-06 23:25:41 +02:00
|
|
|
logLevel => $debug,
|
|
|
|
useSafeJail => 1,
|
|
|
|
authentication => 'Kerberos',
|
|
|
|
userDB => 'Null',
|
|
|
|
krbKeytab => '/etc/keytab',
|
|
|
|
krbByJs => 1,
|
|
|
|
krbAuthnLevel => 4,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
2020-01-17 22:10:06 +01:00
|
|
|
ok(
|
|
|
|
$res = $client->_get(
|
|
|
|
'/',
|
|
|
|
query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tCg==',
|
|
|
|
accept => 'text/html'
|
|
|
|
),
|
|
|
|
'First access with JS'
|
|
|
|
);
|
2017-11-07 07:08:14 +01:00
|
|
|
|
2020-01-17 22:10:06 +01:00
|
|
|
my $pdata = expectCookie( $res, "lemonldappdata" );
|
2019-02-02 19:06:18 +01:00
|
|
|
expectForm( $res, '#', undef, 'kerberos' );
|
2019-02-05 23:12:17 +01:00
|
|
|
ok(
|
|
|
|
$res->[2]->[0] =~ m%<input type="hidden" name="kerberos" value="0" />%,
|
2019-02-02 19:06:18 +01:00
|
|
|
'Found hidden attribut "kerberos" with value="0"'
|
|
|
|
) or print STDERR Dumper( $res->[2]->[0] );
|
2019-02-05 23:12:17 +01:00
|
|
|
ok( $res->[2]->[0] =~ /kerberos\.(?:min\.)?js/, 'Get Kerberos javascript' );
|
|
|
|
ok(
|
|
|
|
$res = $client->_get(
|
2017-04-06 23:25:41 +02:00
|
|
|
'/',
|
|
|
|
query => 'kerberos=1',
|
2020-01-17 22:10:06 +01:00
|
|
|
accept => 'application/json',
|
|
|
|
cookie => "lemonldappdata=$pdata"
|
2017-04-06 23:25:41 +02:00
|
|
|
),
|
|
|
|
'Ajax access'
|
|
|
|
);
|
|
|
|
ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 );
|
2020-01-17 22:10:06 +01:00
|
|
|
$pdata = expectCookie( $res, "lemonldappdata" );
|
2017-04-06 23:25:41 +02:00
|
|
|
|
2019-02-05 23:12:17 +01:00
|
|
|
ok(
|
|
|
|
$res = $client->_get(
|
2017-04-06 23:25:41 +02:00
|
|
|
'/',
|
|
|
|
query => 'kerberos=1',
|
|
|
|
accept => 'application/json',
|
2020-01-17 22:10:06 +01:00
|
|
|
custom => { HTTP_AUTHORIZATION => 'Negotiate c29tZXRoaW5n' },
|
|
|
|
cookie => "lemonldappdata=$pdata"
|
2017-04-06 23:25:41 +02:00
|
|
|
),
|
|
|
|
'Push fake kerberos'
|
|
|
|
);
|
2020-01-17 22:10:06 +01:00
|
|
|
my $id = expectCookie($res);
|
|
|
|
$pdata = expectCookie( $res, "lemonldappdata" );
|
|
|
|
ok( !$pdata, "Persistent data removed" );
|
|
|
|
|
|
|
|
# Redirect to application
|
|
|
|
ok(
|
|
|
|
$res = $client->_get(
|
|
|
|
'/',
|
|
|
|
query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tCg==&kerberos=0',
|
|
|
|
accept => 'text/html',
|
|
|
|
cookie => "lemonldap=$id"
|
|
|
|
),
|
|
|
|
'Go to portal after authentication'
|
|
|
|
);
|
|
|
|
|
|
|
|
expectRedirection( $res, qr#http://test1.example.com# );
|
|
|
|
my $cookies = getCookies($res);
|
|
|
|
ok(
|
|
|
|
!defined( $cookies->{lemonldappdata} ),
|
|
|
|
" Make sure no pdata is returned"
|
|
|
|
);
|
2017-04-06 23:25:41 +02:00
|
|
|
|
2020-11-04 15:21:46 +01:00
|
|
|
# Test krbAllowedDomains
|
|
|
|
&Lemonldap::NG::Handler::Main::cfgNum( 0, 0 );
|
|
|
|
$client = LLNG::Manager::Test->new( {
|
|
|
|
ini => {
|
|
|
|
logLevel => $debug,
|
|
|
|
useSafeJail => 1,
|
|
|
|
authentication => 'Kerberos',
|
|
|
|
userDB => 'Null',
|
|
|
|
krbKeytab => '/etc/keytab',
|
|
|
|
krbByJs => 1,
|
|
|
|
krbAuthnLevel => 4,
|
|
|
|
krbAllowedDomains => 'toto.com titi.com',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
ok(
|
|
|
|
$res = $client->_get(
|
|
|
|
'/',
|
|
|
|
query => 'kerberos=1',
|
|
|
|
accept => 'application/json',
|
|
|
|
custom => { HTTP_AUTHORIZATION => 'Negotiate c29tZXRoaW5n' },
|
|
|
|
cookie => "lemonldappdata=$pdata"
|
|
|
|
),
|
|
|
|
'Push fake kerberos in blacklisted domain'
|
|
|
|
);
|
|
|
|
|
|
|
|
expectReject( $res, 401, 5, "Rejected because the domain is wrong" );
|
|
|
|
&Lemonldap::NG::Handler::Main::cfgNum( 0, 0 );
|
|
|
|
$client = LLNG::Manager::Test->new( {
|
|
|
|
ini => {
|
|
|
|
logLevel => $debug,
|
|
|
|
useSafeJail => 1,
|
|
|
|
authentication => 'Kerberos',
|
|
|
|
userDB => 'Null',
|
|
|
|
krbKeytab => '/etc/keytab',
|
|
|
|
krbByJs => 1,
|
|
|
|
krbAuthnLevel => 4,
|
|
|
|
krbAllowedDomains => 'toto.com example.com',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
ok(
|
|
|
|
$res = $client->_get(
|
|
|
|
'/',
|
|
|
|
query => 'kerberos=1',
|
|
|
|
accept => 'application/json',
|
|
|
|
custom => { HTTP_AUTHORIZATION => 'Negotiate c29tZXRoaW5n' },
|
|
|
|
cookie => "lemonldappdata=$pdata"
|
|
|
|
),
|
|
|
|
'Push fake kerberos in an allowed domain'
|
|
|
|
);
|
2020-11-17 23:18:05 +01:00
|
|
|
$id = expectCookie($res);
|
2017-04-06 23:25:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
count($maintests);
|
|
|
|
clean_sessions();
|
|
|
|
done_testing( count() );
|
|
|
|
|
|
|
|
# Redefine GSSAPI method for test
|
|
|
|
no warnings 'redefine';
|
|
|
|
|
|
|
|
sub GSSAPI::Context::accept ($$$$$$$$$$) {
|
|
|
|
my $a = \@_;
|
|
|
|
$a->[4] = bless {}, 'LLNG::GSSR';
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
package LLNG::GSSR;
|
|
|
|
|
|
|
|
sub display {
|
|
|
|
my $a = \@_;
|
2020-11-04 15:21:46 +01:00
|
|
|
$a->[1] = 'dwho@EXAMPLE.COM';
|
2017-04-06 23:25:41 +02:00
|
|
|
return 1;
|
|
|
|
}
|