diff --git a/fastcgi-server/man/llng-fastcgi-server.8p b/fastcgi-server/man/llng-fastcgi-server.8p
index 37a70d6ca..3bc402340 100644
--- a/fastcgi-server/man/llng-fastcgi-server.8p
+++ b/fastcgi-server/man/llng-fastcgi-server.8p
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "llng-fastcgi-server 8"
-.TH llng-fastcgi-server 8 "2019-09-24" "perl v5.28.1" "User Contributed Perl Documentation"
+.TH llng-fastcgi-server 8 "2019-10-30" "perl v5.26.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/lemonldap-ng-common/lemonldap-ng.ini b/lemonldap-ng-common/lemonldap-ng.ini
index 6bf6f201d..746ca7a15 100644
--- a/lemonldap-ng-common/lemonldap-ng.ini
+++ b/lemonldap-ng-common/lemonldap-ng.ini
@@ -305,9 +305,10 @@ languages = en, fr, vi, it, ar, de, fi
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
;customPlugins = My::Package1, My::Package2
-; To avoid bad/expired OTT if authssl and auth are served by different Load Balancers
-; you can override OTT configuration to store Upgrade OTT into global storage
+; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
+; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
;forceGlobalStorageUpgradeOTT = 1
+;forceGlobalStorageIssuerOTT = 1
[handler]
diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
index 26c9f2493..05bdc52db 100644
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
@@ -260,8 +260,7 @@ sub defaultValues {
'samlAuthnContextMapPassword' => 2,
'samlAuthnContextMapPasswordProtectedTransport' => 3,
'samlAuthnContextMapTLSClient' => 5,
- 'samlEntityID' => '#PORTAL#/saml/metadata',
- 'samlIdPResolveCookie' => 'lemonldapidp',
+ 'samlEntityID' => '#PORTAL#/saml/metadata',
'samlIDPSSODescriptorArtifactResolutionServiceArtifact' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
'samlIDPSSODescriptorSingleLogoutServiceHTTPPost' =>
diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm
index 6a854c69c..5357e4112 100644
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm
@@ -195,9 +195,11 @@ sub virtualHosts {
type => 'keyText',
};
- # If rule contains a comment, split it
+ # If rule contains a comment or an AuthLevel, split them
if ( $query eq 'locationRules' ) {
$res->{comment} = '';
+ $res->{level} = '';
+ $res->{level} = $1 if ( $r =~ s/\(\?#AuthnLevel=(-?\d+)\)// );
if ( $r =~ s/\(\?#(.*?)\)// ) {
$res->{title} = $res->{comment} = $1;
}
diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
index d927b983d..db4f07ebd 100644
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
@@ -67,7 +67,7 @@ our $issuerParameters = {
issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)],
issuerOptions => [qw(issuersTimeout)],
};
-our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive samlOverrideIDPEntityID)];
+our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive samlOverrideIDPEntityID)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataIntrospectionURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
1;
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/SecureToken.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/SecureToken.pm
index 67b1ce02e..d62dd0e02 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/SecureToken.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/SecureToken.pm
@@ -43,11 +43,11 @@ sub run {
# Catch Secure Token parameters
my $localConfig = $class->localConfig;
- my $secureTokenMemcachedServers =
+ our $secureTokenMemcachedServers =
$localConfig->{secureTokenMemcachedServers} || ['127.0.0.1:11211'];
my $secureTokenExpiration = $localConfig->{secureTokenExpiration} || 60;
my $secureTokenAttribute = $localConfig->{secureTokenAttribute} || 'uid';
- my $secureTokenUrls = $localConfig->{'secureTokenUrls'} || ['.*'];
+ our $secureTokenUrls = $localConfig->{'secureTokenUrls'} || ['.*'];
my $secureTokenHeader = $localConfig->{secureTokenHeader} || 'Auth-Token';
my $secureTokenAllowOnError = $localConfig->{'secureTokenAllowOnError'}
// 1;
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
index 6d1a809fd..4c05cf990 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
@@ -281,6 +281,7 @@ sub locationRulesInit {
$class->tsv->{locationProtection}->{$vhost} = [];
$class->tsv->{locationRegexp}->{$vhost} = [];
$class->tsv->{locationConditionText}->{$vhost} = [];
+ $class->tsv->{locationAuthnLevel}->{$vhost} = [];
foreach my $url ( sort keys %{$rules} ) {
my ( $cond, $prot ) = $class->conditionSub( $rules->{$url} );
@@ -300,10 +301,14 @@ sub locationRulesInit {
push @{ $class->tsv->{locationCondition}->{$vhost} }, $cond;
push @{ $class->tsv->{locationProtection}->{$vhost} }, $prot;
push @{ $class->tsv->{locationRegexp}->{$vhost} }, qr/$url/;
+ push @{ $class->tsv->{locationAuthnLevel}->{$vhost} },
+ $url =~ /\(\?#AuthnLevel=(-?\d+)\)/
+ ? $1
+ : undef;
push @{ $class->tsv->{locationConditionText}->{$vhost} },
$url =~ /^\(\?#(.*?)\)/ ? $1
: $url =~ /^(.*?)##(.+)$/ ? $2
- : $url;
+ : $url;
$class->tsv->{locationCount}->{$vhost}++;
}
}
@@ -451,6 +456,7 @@ sub postUrlInit {
# @return array (ref(sub), int)
sub conditionSub {
my ( $class, $cond ) = @_;
+ $cond =~ s/\(\?#(\d+)\)$//;
my ( $OK, $NOK ) = ( sub { 1 }, sub { 0 } );
# Simple cases : accept and deny
diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
index eeb2fd1eb..cd0bcd5be 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
@@ -267,10 +267,31 @@ sub checkMaintenanceMode {
# @return True if the user is granted to access to the current URL
sub grant {
my ( $class, $req, $session, $uri, $cond, $vhost ) = @_;
+ my $level;
+
return $cond->( $req, $session ) if ($cond);
$vhost ||= $class->resolveAlias($req);
- if ( my $level = $class->tsv->{authnLevel}->{$vhost} ) {
+
+ # Using URL authentification level if exists
+ for (
+ my $i = 0 ;
+ $i < ( $class->tsv->{locationCount}->{$vhost} || 0 ) ;
+ $i++
+ )
+ {
+ if ( $uri =~ $class->tsv->{locationRegexp}->{$vhost}->[$i] ) {
+ $level = $class->tsv->{locationAuthnLevel}->{$vhost}->[$i];
+ last;
+ }
+ }
+ $level
+ ? $class->logger->debug(
+ 'Found AuthnLevel=' . $level . ' for "' . "$vhost$uri" . '"' )
+ : $class->logger->debug("No URL authentication level found...");
+
+ # Using VH authentification level if exists
+ if ( $level ||= $class->tsv->{authnLevel}->{$vhost} ) {
if ( $session->{authenticationLevel} < $level ) {
$class->logger->debug(
"User authentication level = $session->{authenticationLevel}");
diff --git a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
index c0764b8c8..5e6020a92 100644
--- a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
+++ b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
@@ -10,6 +10,7 @@ init('Lemonldap::NG::Handler::PSGI');
my $res;
# Unauthentified query
+# --------------------
ok( $res = $client->_get('/'), 'Unauthentified query' );
ok( ref($res) eq 'ARRAY', 'Response is an array' ) or explain( $res, 'array' );
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
@@ -24,17 +25,14 @@ ok(
'Location => http://auth.example.com/?url='
. encode_base64( 'http://test1.example.com/', '' )
);
-
count(4);
# Authentified queries
# --------------------
-
# Authorized query
ok( $res = $client->_get( '/', undef, undef, "lemonldap=$sessionId" ),
'Authentified query' );
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
-
count(2);
ok( $res = $client->_get( '/user_dwho/', undef, undef, "lemonldap=$sessionId" ),
@@ -47,7 +45,12 @@ count(2);
ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ),
'Denied query' );
ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 );
+count(2);
+# Required AuthnLevel = 1
+ok( $res = $client->_get( '/AuthWeak', undef, undef, "lemonldap=$sessionId" ),
+ 'Weak Authentified query' );
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
count(2);
ok( $res = $client->_get( '/user_rtyler/', undef, undef, "lemonldap=$sessionId" ),
@@ -56,6 +59,25 @@ ok( $res->[0] == 403, 'Code is 403' ) or explain( $res, 403 );
count(2);
+# Required AuthnLevel = 5
+ok(
+ $res = $client->_get( '/AuthStrong', undef, undef, "lemonldap=$sessionId" ),
+ 'Strong Authentified query'
+);
+ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
+%h = @{ $res->[1] };
+ok(
+ $h{Location} eq 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test1.example.com/AuthStrong', '' ),
+ 'Redirection points to http://test1.example.com/AuthStrong'
+ )
+ or explain(
+ \%h,
+ 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test1.example.com/AuthStrong', '' )
+ );
+count(3);
+
# Bad cookie
ok(
$res = $client->_get(
@@ -70,9 +92,38 @@ ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
unlink(
't/sessions/lock/Apache-Session-e5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545.lock'
);
-
count(2);
+# Required AuthnLevel = 1
+ok(
+ $res = $client->_get(
+ '/AuthWeak', undef, 'test2.example.com', "lemonldap=$sessionId"
+ ),
+ 'Weak Authentified query'
+);
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
+count(2);
+
+# Required AuthnLevel = 5
+ok(
+ $res =
+ $client->_get( '/', undef, 'test2.example.com', "lemonldap=$sessionId" ),
+ 'Default Authentified query'
+);
+ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
+%h = @{ $res->[1] };
+ok(
+ $h{Location} eq 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test2.example.com/', '' ),
+ 'Redirection points to http://test2.example.com/'
+ )
+ or explain(
+ \%h,
+ 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test2.example.com/', '' )
+ );
+count(3);
+
done_testing( count() );
clean();
diff --git a/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t b/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t
index 2fb6f0cf6..03b8f52fd 100644
--- a/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t
+++ b/lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t
@@ -9,6 +9,7 @@ init('Lemonldap::NG::Handler::Server');
my $res;
# Unauthentified query
+# --------------------
ok( $res = $client->_get('/'), 'Unauthentified query' );
ok( ref($res) eq 'ARRAY', 'Response is an array' ) or explain( $res, 'array' );
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
@@ -23,17 +24,14 @@ ok(
'Location => http://auth.example.com/?url='
. encode_base64( 'http://test1.example.com/', '' )
);
-
count(4);
# Authentified queries
# --------------------
-
# Authorized query
ok( $res = $client->_get( '/', undef, undef, "lemonldap=$sessionId" ),
'Authentified query' );
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res->[0], 200 );
-
count(2);
# Check headers
@@ -46,9 +44,33 @@ count(1);
ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ),
'Denied query' );
ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 );
-
count(2);
+# Required AuthnLevel = 1
+ok( $res = $client->_get( '/AuthWeak', undef, undef, "lemonldap=$sessionId" ),
+ 'Weak Authentified query' );
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
+count(2);
+
+# Required AuthnLevel = 5
+ok(
+ $res = $client->_get( '/AuthStrong', undef, undef, "lemonldap=$sessionId" ),
+ 'Strong Authentified query'
+);
+ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
+%h = @{ $res->[1] };
+ok(
+ $h{Location} eq 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test1.example.com/AuthStrong', '' ),
+ 'Redirection points to http://test1.example.com/AuthStrong'
+ )
+ or explain(
+ \%h,
+ 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test1.example.com/AuthStrong', '' )
+ );
+count(3);
+
# Bad cookie
ok(
$res = $client->_get(
@@ -63,9 +85,38 @@ ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
unlink(
't/sessions/lock/Apache-Session-e5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545.lock'
);
-
count(2);
+# Required AuthnLevel = 1
+ok(
+ $res = $client->_get(
+ '/AuthWeak', undef, 'test2.example.com', "lemonldap=$sessionId"
+ ),
+ 'Weak Authentified query'
+);
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
+count(2);
+
+# Required AuthnLevel = 5
+ok(
+ $res =
+ $client->_get( '/', undef, 'test2.example.com', "lemonldap=$sessionId" ),
+ 'Default Authentified query'
+);
+ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
+%h = @{ $res->[1] };
+ok(
+ $h{Location} eq 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test2.example.com/', '' ),
+ 'Redirection points to http://test2.example.com/'
+ )
+ or explain(
+ \%h,
+ 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test2.example.com/', '' )
+ );
+count(3);
+
done_testing( count() );
clean();
diff --git a/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t b/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t
index 148ceef80..784af80e8 100644
--- a/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t
+++ b/lemonldap-ng-handler/t/62-Lemonldap-NG-Handler-Nginx.t
@@ -34,7 +34,6 @@ count(4);
ok( $res = $client->_get( '/', undef, undef, "lemonldap=$sessionId" ),
'Authentified query' );
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res->[0], 200 );
-
count(2);
# Check headers
@@ -49,9 +48,33 @@ count(2);
ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ),
'Denied query' );
ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 );
-
count(2);
+# Required AuthnLevel = 1
+ok( $res = $client->_get( '/AuthWeak', undef, undef, "lemonldap=$sessionId" ),
+ 'Weak Authentified query' );
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
+count(2);
+
+# Required AuthnLevel = 5
+ok(
+ $res = $client->_get( '/AuthStrong', undef, undef, "lemonldap=$sessionId" ),
+ 'Strong Authentified query'
+);
+ok( $res->[0] == 401, 'Code is 401' ) or explain( $res, 401 );
+%h = @{ $res->[1] };
+ok(
+ $h{Location} eq 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test1.example.com/AuthStrong', '' ),
+ 'Redirection points to http://test1.example.com/AuthStrong'
+ )
+ or explain(
+ \%h,
+ 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test1.example.com/AuthStrong', '' )
+ );
+count(3);
+
# Bad cookie
ok(
$res = $client->_get(
@@ -66,9 +89,38 @@ ok( $res->[0] == 401, 'Code is 401' ) or explain( $res->[0], 401 );
unlink(
't/sessions/lock/Apache-Session-e5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545.lock'
);
-
count(2);
+# Required AuthnLevel = 1
+ok(
+ $res = $client->_get(
+ '/AuthWeak', undef, 'test2.example.com', "lemonldap=$sessionId"
+ ),
+ 'Weak Authentified query'
+);
+ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
+count(2);
+
+# Required AuthnLevel = 5
+ok(
+ $res =
+ $client->_get( '/', undef, 'test2.example.com', "lemonldap=$sessionId" ),
+ 'Default Authentified query'
+);
+ok( $res->[0] == 401, 'Code is 401' ) or explain( $res, 401 );
+%h = @{ $res->[1] };
+ok(
+ $h{Location} eq 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test2.example.com/', '' ),
+ 'Redirection points to http://test2.example.com/'
+ )
+ or explain(
+ \%h,
+ 'http://auth.example.com//upgradesession?url='
+ . encode_base64( 'http://test2.example.com/', '' )
+ );
+count(3);
+
done_testing( count() );
clean();
diff --git a/lemonldap-ng-handler/t/lmConf-1.json b/lemonldap-ng-handler/t/lmConf-1.json
index bc031dd3f..e4c00d3be 100644
--- a/lemonldap-ng-handler/t/lmConf-1.json
+++ b/lemonldap-ng-handler/t/lmConf-1.json
@@ -41,12 +41,15 @@
"default": "$uid eq \"dwho\""
},
"test1.example.com": {
+ "^/AuthStrong(?#AuthnLevel=5)": "accept",
+ "^/AuthWeak(?#AuthnLevel=1)": "accept",
"^/logout": "logout_sso",
"^/deny": "deny",
"^/user_(\\w+)/": "$uid eq $_rulematch[1]",
"default": "accept"
},
"test2.example.com": {
+ "^/AuthWeak(?#AuthnLevel=1)": "accept",
"^/logout": "logout_sso",
"default": "accept"
},
@@ -61,5 +64,10 @@
"portal": "http://auth.example.com/",
"reloadUrls": {},
"userDB": "Demo",
+ "vhostOptions": {
+ "test2.example.com": {
+ "vhostAuthnLevel": 5
+ }
+ },
"whatToTrace": "_whatToTrace"
}
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
index 0ecb91a87..a97196112 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@@ -1254,6 +1254,9 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => 3,
'type' => 'int'
},
+ 'forceGlobalStorageIssuerOTT' => {
+ 'type' => 'bool'
+ },
'forceGlobalStorageUpgradeOTT' => {
'type' => 'bool'
},
@@ -3032,10 +3035,6 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
},
'type' => 'file'
},
- 'samlIdPResolveCookie' => {
- 'default' => 'lemonldapidp',
- 'type' => 'text'
- },
'samlIDPSSODescriptorArtifactResolutionServiceArtifact' => {
'default' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
index ff3f63003..7040a597d 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@@ -553,6 +553,11 @@ sub attributes {
documentation =>
'Avoid asking confirmation when an Issuer asks to renew auth',
},
+ forceGlobalStorageIssuerOTT => {
+ type => 'bool',
+ documentation =>
+ 'Force Issuer tokens be stored into Global Storage',
+ },
handlerInternalCache => {
type => 'int',
default => 15,
@@ -1532,7 +1537,7 @@ sub attributes {
forceGlobalStorageUpgradeOTT => {
type => 'bool',
documentation =>
- 'Force upgrade tokens be stored into Global Storage',
+ 'Force Upgrade tokens be stored into Global Storage',
},
# 2F
@@ -2319,11 +2324,6 @@ sub attributes {
documentation =>
'Use certificate instead of public key in SAML responses',
},
- samlIdPResolveCookie => {
- type => 'text',
- default => 'lemonldapidp',
- documentation => 'SAML IDP resolution cookie',
- },
samlMetadataForceUTF8 => {
default => 1,
type => 'bool',
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
index bd0c6402c..8a6e73a4d 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@@ -1138,7 +1138,6 @@ sub tree {
title => 'samlAdvanced',
help => 'samlservice.html#advanced',
nodes => [
- 'samlIdPResolveCookie',
'samlMetadataForceUTF8',
'samlStorage',
'samlStorageOptions',
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm
index aa8532138..c0b99bd3c 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm
@@ -266,6 +266,7 @@ sub _scanNodes {
$leaf->{comment}
? "(?#$leaf->{comment})$leaf->{re}"
: $leaf->{re};
+ $k .= "(?#AuthnLevel=$leaf->{level})" if $leaf->{level};
$self->set( $target, $key, $k, $leaf->{data} );
}
else {
diff --git a/lemonldap-ng-manager/site/coffee/manager.coffee b/lemonldap-ng-manager/site/coffee/manager.coffee
index 75ebb1a0b..1aa5c3b57 100644
--- a/lemonldap-ng-manager/site/coffee/manager.coffee
+++ b/lemonldap-ng-manager/site/coffee/manager.coffee
@@ -592,6 +592,10 @@ llapp.controller 'TreeCtrl', [
if a.template
a._nodes = templates a.template, a.title
node.nodes.push a
+ if a.type.match /^rule$/
+ console.log "Parse rule AuthnLevel as integer"
+ if a.level and typeof a.level == 'string'
+ a.level = parseInt(a.level, 10)
d.resolve 'OK'
$scope.waiting = false
, (response) ->
diff --git a/lemonldap-ng-manager/site/htdocs/static/forms/rule.html b/lemonldap-ng-manager/site/htdocs/static/forms/rule.html
index 002f36641..64811cfc2 100644
--- a/lemonldap-ng-manager/site/htdocs/static/forms/rule.html
+++ b/lemonldap-ng-manager/site/htdocs/static/forms/rule.html
@@ -17,6 +17,10 @@
|
|
+
+ |
+ |
+
//else -->
diff --git a/lemonldap-ng-portal/t/30-Auth-SAML-with-choice.t b/lemonldap-ng-portal/t/30-Auth-SAML-with-choice.t
index 021db61bf..e5070ebd8 100644
--- a/lemonldap-ng-portal/t/30-Auth-SAML-with-choice.t
+++ b/lemonldap-ng-portal/t/30-Auth-SAML-with-choice.t
@@ -12,7 +12,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 24;
+my $maintests = 22;
my $debug = 'error';
my %handlerOR = ( issuer => [], sp => [] );
@@ -60,9 +60,6 @@ SKIP: {
),
'Post SAML choice'
);
- ok( expectCookie( $res, 'lemonldapidp' ) == 0, 'IDP cookie deleted' )
- or explain( $res->[1],
- 'Set-Cookie => lemonldapidp=0; domain=.sp.com; path=/; expires=-1d' );
( $host, $url, $query ) = expectForm( $res, undef, undef, 'confirm', );
# IDP must be sorted
@@ -92,16 +89,11 @@ m% IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => "lemonldapidp=0;$spPdata",
+ cookie => "$spPdata",
),
'Post SAML choice'
);
$spPdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $host, $url, $query ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -144,7 +136,7 @@ m%new($query),
accept => 'text/html',
length => length($query),
- cookie => "lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata",
+ cookie => "$spPdata",
),
'Post SAML response to SP'
);
@@ -194,7 +186,6 @@ m%new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -213,9 +204,7 @@ m%_get(
- '/',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ '/', cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t
index bce086c9b..f1f4d3d05 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t
@@ -149,8 +149,7 @@ m#img src="http://auth.idp.com(/saml/relaySingleLogoutSOAP)\?(relay=.*?)"#s,
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO.t
index 1f0b21045..b69808762 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO.t
@@ -10,7 +10,7 @@ BEGIN {
require 't/test-lib.pm';
}
-my $maintests = 14;
+my $maintests = 13;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -65,11 +65,6 @@ SKIP: {
),
'Unauth SP request'
);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $url, $query ) = expectRedirection( $res,
qr#^http://auth.idp.com(/saml/singleSignOnArtifact)\?(SAMLart=.+)# );
@@ -121,7 +116,6 @@ SKIP: {
query => $query,
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Push artifact to SP'
);
@@ -174,8 +168,7 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t
index 9a82d55a9..95844c8ee 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t
@@ -74,7 +74,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -180,8 +179,7 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-Missing-SLO.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-Missing-SLO.t
index 7db977f19..26e29867e 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-Missing-SLO.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-Missing-SLO.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 21;
+my $maintests = 19;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -50,11 +50,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -96,11 +91,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -142,7 +132,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -210,8 +199,7 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST.t
index 361826e4b..5f2c26471 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 22;
+my $maintests = 20;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -50,11 +50,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -96,11 +91,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -148,7 +138,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -206,7 +195,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -227,8 +215,7 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t
index d544abd93..7daeccc4d 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t
@@ -84,7 +84,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -162,8 +161,7 @@ m#iframe src="http://auth.sp.com(/saml/proxySingleLogout)\?(SAMLRequest=.*?)"#,
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP-Missing-SLO.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP-Missing-SLO.t
index ac34ff121..de059716e 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP-Missing-SLO.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP-Missing-SLO.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 23;
+my $maintests = 21;
my $debug = 'error';
my ( $issuer, $sp, $sp2, $res );
my %handlerOR = ( issuer => [], sp => [], sp2 => [] );
@@ -55,15 +55,6 @@ SKIP: {
'Unauth SP request'
);
my ( $host, $url, $query );
- ok(
- expectCookie( $res, 'lemonldapidp' ) eq
- 'http://auth.idp.com/saml/metadata',
- 'IDP cookie defined'
- )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $url, $query ) = expectRedirection( $res,
qr#^http://auth.idp.com(/saml/singleSignOn)\?(SAMLRequest=.+)# );
@@ -113,7 +104,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -144,15 +134,6 @@ SKIP: {
'Unauth SP2 request'
);
- ok(
- expectCookie( $res, 'lemonldapidp' ) eq
- 'http://auth.idp.com/saml/metadata',
- 'IDP cookie defined'
- )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp2.com; path=/'
- );
( $url, $query ) = expectRedirection( $res,
qr#^http://auth.idp.com(/saml/singleSignOn)\?(SAMLRequest=.+)# );
@@ -178,7 +159,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP2'
);
@@ -235,8 +215,7 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
@@ -249,8 +228,7 @@ SKIP: {
$res = $sp2->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$sp2Id"
+ cookie => "lemonldap=$sp2Id"
),
'User is unfortunately still logged into SP2'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP.t
index 34dc2c45b..d116e1e38 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-MultipleSP.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 27;
+my $maintests = 25;
my $debug = 'error';
my ( $issuer, $sp, $sp2, $res );
my %handlerOR = ( issuer => [], sp => [], sp2 => [] );
@@ -55,15 +55,6 @@ SKIP: {
'Unauth SP request'
);
my ( $host, $url, $query );
- ok(
- expectCookie( $res, 'lemonldapidp' ) eq
- 'http://auth.idp.com/saml/metadata',
- 'IDP cookie defined'
- )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $url, $query ) = expectRedirection( $res,
qr#^http://auth.idp.com(/saml/singleSignOn)\?(SAMLRequest=.+)# );
@@ -113,7 +104,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -144,15 +134,6 @@ SKIP: {
'Unauth SP2 request'
);
- ok(
- expectCookie( $res, 'lemonldapidp' ) eq
- 'http://auth.idp.com/saml/metadata',
- 'IDP cookie defined'
- )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp2.com; path=/'
- );
( $url, $query ) = expectRedirection( $res,
qr#^http://auth.idp.com(/saml/singleSignOn)\?(SAMLRequest=.+)# );
@@ -178,7 +159,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP2'
);
@@ -293,8 +273,7 @@ qr#^http://auth.sp.com(/saml/proxySingleLogoutReturn)\?(SAMLResponse=.+)#
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
@@ -306,8 +285,7 @@ qr#^http://auth.sp.com(/saml/proxySingleLogoutReturn)\?(SAMLResponse=.+)#
$res = $sp2->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$sp2Id"
+ cookie => "lemonldap=$sp2Id"
),
'Test if user is reject on SP2'
);
diff --git a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect.t b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect.t
index e86d9b06e..d8bafda2f 100644
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 17;
+my $maintests = 16;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -52,15 +52,6 @@ SKIP: {
'Unauth SP request'
);
my ( $host, $url, $query );
- ok(
- expectCookie( $res, 'lemonldapidp' ) eq
- 'http://auth.idp.com/saml/metadata',
- 'IDP cookie defined'
- )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $url, $query ) = expectRedirection( $res,
qr#^http://auth.idp.com(/saml/singleSignOn)\?(SAMLRequest=.+)# );
@@ -115,7 +106,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -189,8 +179,7 @@ qr#^http://auth.sp.com(/saml/proxySingleLogoutReturn)\?(SAMLResponse=.+)#
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-CDC.t b/lemonldap-ng-portal/t/30-CDC.t
index 86d1ca1ae..e3ff6dc32 100644
--- a/lemonldap-ng-portal/t/30-CDC.t
+++ b/lemonldap-ng-portal/t/30-CDC.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 21;
+my $maintests = 20;
my $debug = 'error';
my ( $issuer, $sp, $cdc, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -63,11 +63,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -126,7 +121,6 @@ m#new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -184,7 +178,6 @@ m#new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -205,8 +198,7 @@ m#_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-SAML-Head-to-Tail-POST.t b/lemonldap-ng-portal/t/30-SAML-Head-to-Tail-POST.t
index 19d22203f..cde45d6bc 100644
--- a/lemonldap-ng-portal/t/30-SAML-Head-to-Tail-POST.t
+++ b/lemonldap-ng-portal/t/30-SAML-Head-to-Tail-POST.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 13;
+my $maintests = 12;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -49,11 +49,6 @@ SKIP: {
),
'Unauth SP request'
);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -96,7 +91,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -109,9 +103,8 @@ SKIP: {
ok(
$res = $sp->_get(
$url || '/',
- query => $s,
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId",
+ query => $s,
+ cookie => "lemonldap=$spId",
accept => 'text/html',
),
' Follow redirection'
@@ -155,7 +148,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -176,8 +168,7 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t b/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t
index 4ca0bb350..6af1a1063 100644
--- a/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t
+++ b/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 18;
+my $maintests = 16;
my $debug = 'error';
my $timeout = 6;
my ( $issuer, $sp, $res );
@@ -51,11 +51,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -97,11 +92,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -148,7 +138,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -201,7 +190,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
diff --git a/lemonldap-ng-portal/t/30-SAML-POST-with-2F-and-Notification.t b/lemonldap-ng-portal/t/30-SAML-POST-with-2F-and-Notification.t
index c4db45d3f..15ce76204 100644
--- a/lemonldap-ng-portal/t/30-SAML-POST-with-2F-and-Notification.t
+++ b/lemonldap-ng-portal/t/30-SAML-POST-with-2F-and-Notification.t
@@ -12,7 +12,7 @@ BEGIN {
require 't/smtp.pm';
}
-my $maintests = 20;
+my $maintests = 19;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -65,11 +65,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -172,7 +167,6 @@ qr% [], sp => [] );
@@ -64,11 +64,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -144,7 +139,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -194,7 +188,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -215,8 +208,7 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/30-SAML-ReAuth-with-choice.t b/lemonldap-ng-portal/t/30-SAML-ReAuth-with-choice.t
index 08fbdca6b..f710f0522 100644
--- a/lemonldap-ng-portal/t/30-SAML-ReAuth-with-choice.t
+++ b/lemonldap-ng-portal/t/30-SAML-ReAuth-with-choice.t
@@ -12,7 +12,7 @@ BEGIN {
}
my $userdb = tempdb();
-my $maintests = 13;
+my $maintests = 12;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -75,11 +75,6 @@ SKIP: {
),
'Unauth SP request'
);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $query ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -92,8 +87,7 @@ SKIP: {
IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie =>
- "lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata",
+ cookie => "lemonldap=$idpId",
),
'Post SAML request to IdP'
);
@@ -108,8 +102,7 @@ SKIP: {
IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie =>
-"lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata;$pdata",
+ cookie => "lemonldap=$idpId;$pdata",
),
'Ask to renew'
);
@@ -127,8 +120,7 @@ SKIP: {
IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie =>
-"lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata;$pdata",
+ cookie => "lemonldap=$idpId;$pdata",
),
'Re auth'
);
@@ -143,8 +135,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata;$pdata",
+ cookie => "lemonldap=$idpId;$pdata",
),
'Follow redirection'
);
@@ -159,7 +150,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
diff --git a/lemonldap-ng-portal/t/30-SAML-ReAuth.t b/lemonldap-ng-portal/t/30-SAML-ReAuth.t
index 2a4157937..b8dcc263d 100644
--- a/lemonldap-ng-portal/t/30-SAML-ReAuth.t
+++ b/lemonldap-ng-portal/t/30-SAML-ReAuth.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 13;
+my $maintests = 12;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -63,11 +63,6 @@ SKIP: {
),
'Unauth SP request'
);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $query ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -80,8 +75,7 @@ SKIP: {
IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie =>
- "lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata",
+ cookie => "lemonldap=$idpId",
),
'Post SAML request to IdP'
);
@@ -96,8 +90,7 @@ SKIP: {
IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie =>
-"lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata;$pdata",
+ cookie => "lemonldap=$idpId;$pdata",
),
'Ask to renew'
);
@@ -115,8 +108,7 @@ SKIP: {
IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie =>
-"lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata;$pdata",
+ cookie => "lemonldap=$idpId;$pdata",
),
'Re auth'
);
@@ -131,8 +123,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$idpId;lemonldapidp=http://auth.idp.com/saml/metadata;$pdata",
+ cookie => "lemonldap=$idpId;$pdata",
),
'Follow redirection'
);
@@ -147,7 +138,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
diff --git a/lemonldap-ng-portal/t/30-SAML-SP-rule.t b/lemonldap-ng-portal/t/30-SAML-SP-rule.t
index ba267dfd0..bfa9382f7 100644
--- a/lemonldap-ng-portal/t/30-SAML-SP-rule.t
+++ b/lemonldap-ng-portal/t/30-SAML-SP-rule.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 7;
+my $maintests = 6;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -51,15 +51,6 @@ SKIP: {
),
'Unauth SP request'
);
- ok(
- expectCookie( $res, 'lemonldapidp' ) eq
- 'http://auth.idp.com/saml/metadata',
- 'IDP cookie defined'
- )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $url, $query ) = expectRedirection( $res,
qr#^http://auth.idp.com(/saml/singleSignOn)\?(SAMLRequest=.+)# );
diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
index b9650c9ce..cefef0a6f 100644
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
@@ -184,21 +184,6 @@ ok(
count(1);
expectReject($res);
-#switch ('rp');
-#ok(
-# $res = $rp->_get(
-# '/',
-# accept => 'text/html',
-# cookie =>
-# "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
-# ),
-# 'Test if user is reject on SP'
-#);
-#count(1);
-#expectRedirection( $res, qr#^http://auth.op.com/oauth2/authorize# );
-
-#print STDERR Dumper($res);
-
clean_sessions();
done_testing( count() );
diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t
index 459560215..97ae6d89c 100644
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t
@@ -260,8 +260,7 @@ ok(
$res = $rp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t
index 58c67391e..921802997 100644
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t
@@ -228,8 +228,7 @@ SKIP: {
$res = $rp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t
index 037d340d7..50b7fc8bb 100644
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t
@@ -256,8 +256,7 @@ ok(
$res = $rp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
index 12898790d..d716b5c6e 100644
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
@@ -256,8 +256,7 @@ ok(
$res = $rp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST-with-WAYF.t b/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST-with-WAYF.t
index 879ceac0a..d61a2f227 100644
--- a/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST-with-WAYF.t
+++ b/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST-with-WAYF.t
@@ -167,8 +167,7 @@ SKIP: {
$url, IO::String->new($query),
length => length($query),
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata;$proxyPdata",
+ cookie => "$proxyPdata",
),
'POST SAML response'
);
@@ -178,8 +177,7 @@ SKIP: {
$res = $proxy->_get(
$url,
accept => 'text/html',
- cookie =>
-"lemonldapidp=http://auth.idp.com/saml/metadata;lemonldap=$spId;$proxyPdata",
+ cookie => "lemonldap=$spId;$proxyPdata",
),
'Follow internal redirection'
);
diff --git a/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST.t b/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST.t
index bb7a7a863..efb60f67c 100644
--- a/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST.t
+++ b/lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST.t
@@ -152,8 +152,7 @@ SKIP: {
$url, IO::String->new($query),
length => length($query),
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.idp.com/saml/metadata;$proxyPdata",
+ cookie => "$proxyPdata",
),
'POST SAML response'
);
@@ -163,8 +162,7 @@ SKIP: {
$res = $proxy->_get(
$url,
accept => 'text/html',
- cookie =>
-"lemonldapidp=http://auth.idp.com/saml/metadata;lemonldap=$spId;$proxyPdata",
+ cookie => "lemonldap=$spId;$proxyPdata",
),
'Follow internal redirection'
);
diff --git a/lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-SP.t b/lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-SP.t
index 1a906ea7e..e547204be 100644
--- a/lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-SP.t
+++ b/lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-SP.t
@@ -167,7 +167,6 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie => 'lemonldapidp=http://auth.op.com/saml/metadata'
),
'Try SAML SP'
);
@@ -197,7 +196,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -305,8 +303,7 @@ m#iframe src="http://auth.op.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
$res = $rp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.op.com/saml/metadata; lemonldap=$rpId"
+ cookie => "lemonldap=$rpId"
),
'Test if user is reject on SP'
);
@@ -317,8 +314,7 @@ m#iframe src="http://auth.op.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie =>
- "lemonldapidp=http://auth.op.com/saml/metadata; lemonldap=$spId"
+ cookie => "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t
index 60a344d41..075748a6b 100644
--- a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t
+++ b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t
@@ -115,8 +115,6 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
-
- # cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata'
),
"Push request to OP, endpoint $url"
);
@@ -186,7 +184,7 @@ SKIP: {
$url, IO::String->new($query),
length => length($query),
accept => 'text/html',
- cookie => "lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "$spPdata"
),
'POST SAML response'
);
@@ -200,8 +198,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$spId;lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "lemonldap=$spId;$spPdata"
),
'Follow internal redirection from SAML-SP to OIDC-OP'
);
@@ -211,8 +208,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$spId;lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "lemonldap=$spId;$spPdata"
),
'Confirm OIDC sharing'
);
diff --git a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET.t b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET.t
index b6d77a422..3f8fcd20a 100644
--- a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET.t
+++ b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET.t
@@ -115,8 +115,6 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
-
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata'
),
"Push request to OP, endpoint $url"
);
@@ -169,7 +167,7 @@ SKIP: {
$url, IO::String->new($query),
length => length($query),
accept => 'text/html',
- cookie => "lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "$spPdata"
),
'POST SAML response'
);
@@ -183,8 +181,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$spId;lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "lemonldap=$spId;$spPdata"
),
'Follow internal redirection from SAML-SP to OIDC-OP'
);
@@ -194,8 +191,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$spId;lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "lemonldap=$spId;$spPdata"
),
'Confirm OIDC sharing'
);
diff --git a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-POST.t b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-POST.t
index c167df41b..812ef84f8 100644
--- a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-POST.t
+++ b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-POST.t
@@ -115,8 +115,6 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
-
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata'
),
"Push request to OP, endpoint $url"
);
@@ -171,7 +169,7 @@ SKIP: {
$url, IO::String->new($query),
length => length($query),
accept => 'text/html',
- cookie => "lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata",
+ cookie => "$spPdata",
),
'POST SAML response'
);
@@ -185,8 +183,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$spId;lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "lemonldap=$spId;$spPdata"
),
'Follow internal redirection from SAML-SP to OIDC-OP'
);
@@ -196,8 +193,7 @@ SKIP: {
$url,
query => $query,
accept => 'text/html',
- cookie =>
-"lemonldap=$spId;lemonldapidp=http://auth.idp.com/saml/metadata;$spPdata"
+ cookie => "lemonldap=$spId;$spPdata"
),
'Confirm OIDC sharing'
);
diff --git a/lemonldap-ng-portal/t/37-SAML-SP-GET-to-OIDC-OP.t b/lemonldap-ng-portal/t/37-SAML-SP-GET-to-OIDC-OP.t
index e7f368373..e1cff582f 100644
--- a/lemonldap-ng-portal/t/37-SAML-SP-GET-to-OIDC-OP.t
+++ b/lemonldap-ng-portal/t/37-SAML-SP-GET-to-OIDC-OP.t
@@ -107,7 +107,6 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie => 'lemonldapidp=http://auth.proxy.com/saml/metadata'
),
'Try SAML SP'
);
@@ -207,7 +206,6 @@ SKIP: {
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.proxy.com/saml/metadata',
),
'Post SAML response to SP'
);
diff --git a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t
index 23bc0e863..7f3968d32 100644
--- a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t
+++ b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 17;
+my $maintests = 16;
my $debug = 'error';
my ( $issuer, $proxy, $sp, $res );
my %handlerOR = ( issuer => [], proxy => [], sp => [] );
@@ -88,11 +88,6 @@ SKIP: {
),
'Unauth SP request'
);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.proxy.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $query ) =
expectAutoPost( $res, 'auth.proxy.com', '/saml/singleSignOn',
@@ -189,7 +184,6 @@ qr'^http://auth.idp.com/cas/login\?(service=http%3A%2F%2Fauth.proxy.com%2F.*)$'
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.proxy.com/saml/metadata',
),
'Post SAML response to SP'
);
diff --git a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t
index cedb7427a..839856d46 100644
--- a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t
+++ b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 15;
+my $maintests = 14;
my $debug = 'error';
my ( $issuer, $proxy, $sp, $res );
my %handlerOR = ( issuer => [], proxy => [], sp => [] );
@@ -89,11 +89,6 @@ SKIP: {
),
'Unauth SP request'
);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.proxy.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $query ) =
expectAutoPost( $res, 'auth.proxy.com', '/saml/singleSignOn',
@@ -174,7 +169,6 @@ qr'^http://auth.idp.com/cas/login\?(service=http%3A%2F%2Fauth.proxy.com%2F.*)$'
$url, IO::String->new($query),
accept => 'text/html',
length => length($query),
- cookie => 'lemonldapidp=http://auth.proxy.com/saml/metadata',
),
'Post SAML response to SP'
);
diff --git a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-OIDC-OP.t b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-OIDC-OP.t
index ac5a9aab3..df286b067 100644
--- a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-OIDC-OP.t
+++ b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-OIDC-OP.t
@@ -107,7 +107,6 @@ SKIP: {
$res = $sp->_get(
'/',
accept => 'text/html',
- cookie => 'lemonldapidp=http://auth.proxy.com/saml/metadata'
),
'Try SAML SP'
);
@@ -205,7 +204,6 @@ SKIP: {
$url, IO::String->new($query),
length => length($query),
accept => 'text/html',
- cookie => 'lemonldapidp=http://auth.proxy.com/saml/metadata',
),
'Post SAML response to SP'
);
diff --git a/lemonldap-ng-portal/t/62-UpgradeSession.t b/lemonldap-ng-portal/t/62-UpgradeSession.t
index 33a9afbbb..1d94c20d2 100644
--- a/lemonldap-ng-portal/t/62-UpgradeSession.t
+++ b/lemonldap-ng-portal/t/62-UpgradeSession.t
@@ -9,6 +9,7 @@ require 't/smtp.pm';
use_ok('Lemonldap::NG::Common::FormEncode');
count(1);
+my $res;
my $client = LLNG::Manager::Test->new( {
ini => {
logLevel => 'error',
@@ -26,6 +27,13 @@ my $client = LLNG::Manager::Test->new( {
'vhostAuthnLevel' => 3
},
},
+ "locationRules" => {
+ "test1.example.com" => {
+ 'default' => 'accept',
+ '^/AuthWeak(?#AuthnLevel=2)' => 'deny',
+ '^/AuthStrong(?#AuthnLevel=5)' => 'deny',
+ },
+ },
}
}
);
@@ -33,7 +41,7 @@ my $client = LLNG::Manager::Test->new( {
# Try to authenticate
# -------------------
ok(
- my $res = $client->_post(
+ $res = $client->_post(
'/',
IO::String->new('user=dwho&password=dwho&lmAuth=weak'),
length => 35,
@@ -42,15 +50,40 @@ ok(
'Auth query'
);
count(1);
-
my $id = expectCookie($res);
+
+# Portal IS NOT a handler
+#########################
+ok(
+ $res = $client->_get(
+ '/AuthWeak',
+ accept => 'text/html',
+ cookie => "lemonldap=$id",
+ host => 'test1.example.com',
+ ),
+ 'GET http://test1.example.com/AuthWeak'
+);
+expectOK($res);
+count(1);
+
+ok(
+ $res = $client->_get(
+ '/AuthStrong',
+ accept => 'text/html',
+ cookie => "lemonldap=$id",
+ host => 'test1.example.com',
+ ),
+ 'GET http://test1.example.com/AuthStrong'
+);
+count(1);
+
# After attempting to access test1,
# the handler sends up back to /upgradesession
# --------------------------------------------
ok(
- my $res = $client->_get(
+ $res = $client->_get(
'/upgradesession',
query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t',
accept => 'text/html',
@@ -67,7 +100,7 @@ my ( $host, $url, $query ) =
# ----------------------
ok(
- my $res = $client->_post(
+ $res = $client->_post(
'/upgradesession',
IO::String->new($query),
length => length($query),
@@ -79,8 +112,7 @@ ok(
count(1);
my $pdata = expectCookie( $res, 'lemonldappdata' );
-
-my ( $host, $url, $query ) = expectForm( $res, '#', undef, 'upgrading', 'url' );
+( $host, $url, $query ) = expectForm( $res, '#', undef, 'upgrading', 'url' );
$query = $query . "&lmAuth=strong";
@@ -89,7 +121,7 @@ $query = $query . "&lmAuth=strong";
# -------------------------------------------
ok(
- my $res = $client->_post(
+ $res = $client->_post(
'/upgradesession',
IO::String->new($query),
length => length($query),
@@ -110,7 +142,7 @@ expectRedirection( $res, 'http://test1.example.com' );
# Make pdata was cleared and we aren't being redirected
ok(
- my $res = $client->_get(
+ $res = $client->_get(
'/',
accept => 'text/html',
cookie => "lemonldap=$id;lemonldappdata=$pdata",
@@ -118,7 +150,6 @@ ok(
'Post login'
);
count(1);
-
expectOK($res);
clean_sessions();
diff --git a/lemonldap-ng-portal/t/67-CheckUser-with-issuer-SAML-POST.t b/lemonldap-ng-portal/t/67-CheckUser-with-issuer-SAML-POST.t
index 58a2d6070..cf1158ae5 100644
--- a/lemonldap-ng-portal/t/67-CheckUser-with-issuer-SAML-POST.t
+++ b/lemonldap-ng-portal/t/67-CheckUser-with-issuer-SAML-POST.t
@@ -11,7 +11,7 @@ BEGIN {
require 't/saml-lib.pm';
}
-my $maintests = 24;
+my $maintests = 21;
my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
@@ -50,11 +50,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
my ( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -96,11 +91,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -147,7 +137,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -173,11 +162,6 @@ SKIP: {
'Unauth SP request'
);
expectOK($res);
- ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' )
- or explain(
- $res->[1],
-'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/'
- );
( $host, $url, $s ) =
expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
'SAMLRequest' );
@@ -225,7 +209,6 @@ SKIP: {
$url, IO::String->new($s),
accept => 'text/html',
length => length($s),
- cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
),
'Post SAML response to SP'
);
@@ -356,7 +339,6 @@ m% "lemonldap=$spId"
),
'Test if user is reject on SP'
);
diff --git a/lemonldap-ng-portal/t/test-lib.pm b/lemonldap-ng-portal/t/test-lib.pm
index 3cd18aeaa..ae7d72c2d 100644
--- a/lemonldap-ng-portal/t/test-lib.pm
+++ b/lemonldap-ng-portal/t/test-lib.pm
@@ -140,8 +140,7 @@ sub count_sessions {
sub getCache {
require Cache::FileCache;
- return Cache::FileCache->new(
- {
+ return Cache::FileCache->new( {
namespace => 'lemonldap-ng-session',
cache_root => $tmpDir,
cache_depth => 0,
@@ -333,10 +332,12 @@ Verify that the HTTP response contains valid JSON and returns the corresponding
sub expectJSON {
my ($res) = @_;
is( $res->[0], 200, ' HTTP code is 200' ) or explain( $res, 200 );
- my %hdr = @{$res->[1]};
- like( $hdr{'Content-Type'}, qr,^application/json,i , ' Content-Type is JSON' ) or explain( $res );
+ my %hdr = @{ $res->[1] };
+ like( $hdr{'Content-Type'}, qr,^application/json,i,
+ ' Content-Type is JSON' )
+ or explain($res);
my $json;
- eval { $json = JSON::from_json($res->[2]->[0]) };
+ eval { $json = JSON::from_json( $res->[2]->[0] ) };
ok( not($@), 'Content is valid JSON' );
count(3);
return $json;
@@ -701,14 +702,13 @@ to test content I<(to launch a C for example)>.
sub _get {
my ( $self, $path, %args ) = @_;
- my $res = $self->app->(
- {
+ my $res = $self->app->( {
'HTTP_ACCEPT' => $args{accept}
|| 'application/json, text/plain, */*',
'HTTP_ACCEPT_LANGUAGE' => 'fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3',
'HTTP_CACHE_CONTROL' => 'max-age=0',
( $args{cookie} ? ( HTTP_COOKIE => $args{cookie} ) : () ),
- 'HTTP_HOST' => 'auth.example.com',
+ 'HTTP_HOST' => ( $args{host} ? $args{host} : 'auth.example.com' ),
'HTTP_USER_AGENT' =>
'Mozilla/5.0 (VAX-4000; rv:36.0) Gecko/20350101 Firefox',
'PATH_INFO' => $path,
@@ -754,14 +754,13 @@ sub _post {
my ( $self, $path, $body, %args ) = @_;
die "$body must be a IO::Handle"
unless ( ref($body) and $body->can('read') );
- my $res = $self->app->(
- {
+ my $res = $self->app->( {
'HTTP_ACCEPT' => $args{accept}
|| 'application/json, text/plain, */*',
'HTTP_ACCEPT_LANGUAGE' => 'fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3',
'HTTP_CACHE_CONTROL' => 'max-age=0',
( $args{cookie} ? ( HTTP_COOKIE => $args{cookie} ) : () ),
- 'HTTP_HOST' => 'auth.example.com',
+ 'HTTP_HOST' => ( $args{host} ? $args{host} : 'auth.example.com' ),
'HTTP_USER_AGENT' =>
'Mozilla/5.0 (VAX-4000; rv:36.0) Gecko/20350101 Firefox',
'PATH_INFO' => $path,