dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0' (with new tidy)

Browse Source
This commit is contained in:
Xavier 2019-07-02 20:12:11 +02:00
commit 3b7a70e0b7
118 changed files with 740 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Makefile
View File

@ -1115,7 +1115,10 @@ test-diff:
done
tidy: clean
find lemon*/ -type f \( -name '*.pm' -or -name '*.pl' -or -name '*.fcgi' -or -name '*.t' \) -print -exec perltidy -se -b {} \;
@if perltidy -v|grep v20181120 >/dev/null; then \
find lemon*/ -type f \( -name '*.pm' -or -name '*.pl' -or -name '*.fcgi' -or -name '*.t' \) -print -exec perltidy -se -b {} \; ; \
else echo "Wrong perltidy version, please install Perl::Tidy@20181120" ; exit 1 ;\
fi
find lemon*/ -name '*.bak' -delete
$(MAKE) json

2
fastcgi-server/man/llng-fastcgi-server.1p
View File

@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "llng-fastcgi-server 1"
.TH llng-fastcgi-server 1 "2019-06-27" "perl v5.28.1" "User Contributed Perl Documentation"
.TH llng-fastcgi-server 1 "2019-07-02" "perl v5.28.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

11
lemonldap-ng-common/lib/Lemonldap/NG/Common/IO/Filter.pm
View File

@ -39,9 +39,14 @@ sub READLINE {
# Parse strings after code/IO
foreach my $key ( keys %$self ) {
die "Undefined value for __LLNG_${key}__ substitution" unless $self->{$key};
my $v = (ref $self->{$key} and ref $self->{$key} eq 'ARRAY') ?$self->{$key}:[$self->{$key}];
$v = join "\n", map {ref $_ ? () : qq'<TMPL_INCLUDE NAME="$_.tpl">'} @$v;
die "Undefined value for __LLNG_${key}__ substitution"
unless $self->{$key};
my $v =
( ref $self->{$key} and ref $self->{$key} eq 'ARRAY' )
? $self->{$key}
: [ $self->{$key} ];
$v = join "\n",
map { ref $_ ? () : qq'<TMPL_INCLUDE NAME="$_.tpl">' } @$v;
$res =~ s/__LLNG_${key}__/$v/gs;
}
return $res;

3
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -218,8 +218,7 @@ m[^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9/\+\r\
},
'select' => {
'test' => sub {
my $test =
grep( { $_ eq $_[0]; }
my $test = grep( { $_ eq $_[0]; }
map( { $_->{'k'}; } @{ $_[2]{'select'}; } ) );
return $test
? 1

1
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -1160,6 +1160,7 @@ sub attributes {
type => 'bool',
documentation => 'Enabled persistent storage',
},
# SAML issuer
issuerDBSAMLActivation => {
default => 0,

4
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
View File

@ -684,6 +684,7 @@ sub tree {
'contextSwitchingRule',
'contextSwitchingIdRule',
'contextSwitchingStopWithLogout',
#'contextSwitchingHiddenAttributes',
]
},
@ -957,7 +958,8 @@ sub tree {
help => 'samlservice.html#organization',
form => 'simpleInputContainer',
nodes => [
'samlOrganizationDisplayName', 'samlOrganizationName',
'samlOrganizationDisplayName',
'samlOrganizationName',
'samlOrganizationURL'
]
},

6
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
View File

@ -646,8 +646,10 @@ sub tests {
# Warn if Impersonation and ContextSwitching are simultaneously enabled
impersonation => sub {
return ( 1,
"Impersonation and ContextSwitching are simultaneously enabled" )
if ( $conf->{impersonationRule} && $conf->{contextSwitchingRule} );
"Impersonation and ContextSwitching are simultaneously enabled"
)
if ( $conf->{impersonationRule}
&& $conf->{contextSwitchingRule} );
# Return
return 1;

1
lemonldap-ng-portal/MANIFEST
View File

@ -472,6 +472,7 @@ t/31-Auth-and-issuer-CAS-XSS-on-logout.t
t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t
t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t
t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t
t/32-Auth-and-issuer-OIDC-authorization_code.t
t/32-Auth-and-issuer-OIDC-hybrid.t
t/32-Auth-and-issuer-OIDC-implicit.t

4
lemonldap-ng-portal/Makefile.PL
View File

@ -28,6 +28,7 @@ WriteMakefile(
'Net::OpenID::Consumer' => 0,
'Net::OpenID::Server' => 0,
'SOAP::Lite' => 0,
'Text::Unidecode' => 0,
'Unicode::String' => 0,
'Web::ID' => 0,
},
@ -55,6 +56,9 @@ WriteMakefile(
'MIME::Entity' => 0,
'SOAP::Lite' => 0,
'String::Random' => 0,
'Text::Unidecode' => 0,
'XML::LibXML' => 0,
'XML::Simple' => 0,
},
PREREQ_PM => {
'Clone' => 0,

9
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
View File

@ -768,7 +768,9 @@ sub verifyJWTSignature {
. " is present but algorithm is 'none'" );
return 0;
}
return 1;
$self->logger->debug(
"JWT algorithm is 'none', signature cannot be verified");
return 0;
}
if ( $alg eq "HS256" or $alg eq "HS384" or $alg eq "HS512" ) {
@ -1146,7 +1148,7 @@ sub createJWT {
my ( $self, $payload, $alg, $rp ) = @_;
# Payload encoding
my $jwt_payload = encode_base64( to_json($payload), "" );
my $jwt_payload = encode_base64url( to_json($payload), "" );
# JWT header
my $jwt_header_hash = { typ => "JWT", alg => $alg };
@ -1154,7 +1156,7 @@ sub createJWT {
$jwt_header_hash->{kid} = $self->conf->{oidcServiceKeyIdSig}
if $self->conf->{oidcServiceKeyIdSig};
}
my $jwt_header = encode_base64( to_json($jwt_header_hash), "" );
my $jwt_header = encode_base64url( to_json($jwt_header_hash), "" );
if ( $alg eq "none" ) {
@ -1193,6 +1195,7 @@ sub createJWT {
# Convert + and / to get Base64 URL valid (RFC 4648)
$digest =~ s/\+/-/g;
$digest =~ s/\//_/g;
$digest =~ s/=+$//g;
return $jwt_header . "." . $jwt_payload . "." . $digest;
}

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm
View File

@ -110,7 +110,8 @@ sub params {
$res{DISPLAY_TAB} = $req->param("tab");
}
else {
$res{DISPLAY_TAB} = $res{DISPLAY_MODULES}->[0]->{FavApps} ? "favApps" : "appslist";
$res{DISPLAY_TAB} =
$res{DISPLAY_MODULES}->[0]->{FavApps} ? "favApps" : "appslist";
}
}
@ -421,7 +422,8 @@ sub _filterHash {
$appuri ||= '/';
# Remove if display is "no" or "off"
delete $apphash->{$key} and next if ( $appdisplay =~ /^(no|off)$/ );
delete $apphash->{$key} and next
if ( $appdisplay =~ /^(no|off)$/ );
# Keep node if display is "yes" or "on"
next if ( $appdisplay =~ /^(yes|on)$/ );

5
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
View File

@ -452,7 +452,10 @@ sub updatePersistentSession {
my ( $self, $req, $infos, $uid, $id ) = @_;
# Return if no infos to update
return () unless ( ref $infos eq 'HASH' and %$infos and !$self->conf->{disablePersistentStorage} );
return ()
unless ( ref $infos eq 'HASH'
and %$infos
and !$self->conf->{disablePersistentStorage} );
$uid ||= $req->{sessionInfo}->{ $self->conf->{whatToTrace} }
|| $req->userData->{ $self->conf->{whatToTrace} };

21
lemonldap-ng-portal/t/28-AuthChoice-with-rules.t
View File

@ -72,20 +72,26 @@ SKIP: {
or explain( $res->[2]->[0], '<img src="/static/common/modules/SSL.png' );
ok( $res->[2]->[0] =~ qr%img src="/static/common/modules/Apache.png"%,
'Found 6_FakeCustom Logo' )
or explain( $res->[2]->[0], '<img src="/static/common/modules/Apache.png' );
or
explain( $res->[2]->[0], '<img src="/static/common/modules/Apache.png' );
ok( $res->[2]->[0] =~ qr%<img src="/static/common/modules/Kerberos.png"%,
'Found 7_Kerberos Logo' )
or explain( $res->[2]->[0], '<img src="/static/common/modules/Kerberos.png' );
or explain( $res->[2]->[0],
'<img src="/static/common/modules/Kerberos.png' );
ok(
$res->[2]->[0] =~
m%<form id="lformDemo" action="https://test.example.com"%,
' Redirect URL found'
) or explain( $res->[2]->[0], '<form id="lformDemo" action="https://test.example.com"' );
)
or explain( $res->[2]->[0],
'<form id="lformDemo" action="https://test.example.com"' );
ok(
$res->[2]->[0] =~
m%<script type="application/init">\s*\{"sslHost":"https://authssl.example.com:19876"\}\s*</script>%s,
' SSL AJAX URL found'
) or explain( $res->[2]->[0], '<script type="application/init">\{"sslHost"' );
)
or
explain( $res->[2]->[0], '<script type="application/init">\{"sslHost"' );
expectForm( $res, '#', undef, 'kerberos' );
ok(
$res->[2]->[0] =~ m%<input type="hidden" name="kerberos" value="0" />%,
@ -110,12 +116,15 @@ m%<form id="lformKerberos" action="#" method="post" class="login Kerberos">%,
my $header = getHeader( $res, 'Content-Security-Policy' );
ok( $header =~ m%;form-action \'self\' https://test.example.com;%,
' CSP URL found' )
or explain( $res->[1], 'form-action \'self\' https://test.example.com;' );
or
explain( $res->[1], 'form-action \'self\' https://test.example.com;' );
ok( $res->[2]->[0] !~ /4_demo/, '4_Demo not displayed' );
ok(
$res->[2]->[0] =~ qr%<img src="/static/common/logos/logo_llng_old.png"%,
'Found custom Main Logo'
) or explain( $res->[2]->[0], '<img src="/static/common/logos/logo_llng_old.png"' );
)
or explain( $res->[2]->[0],
'<img src="/static/common/logos/logo_llng_old.png"' );
# Test SQL
my $postString = 'user=dwho&password=dwho&test=2_sql';

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-20.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-XSS-on-logout.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app-userattr.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-app.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-declared-apps.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-default.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-proxied.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice-and-cancel.t
View File

@ -16,6 +16,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

3
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-with-choice.t
View File

@ -16,6 +16,9 @@ my $debug = 'error';
my ( $issuer, $sp, $res );
my %handlerOR = ( issuer => [], sp => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
# Redefine LWP methods for tests
LWP::Protocol::PSGI->register(
sub {

1
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
View File

@ -330,6 +330,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",

1
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t
View File

@ -426,6 +426,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,

1
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t
View File

@ -380,6 +380,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",

450
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t Normal file
View File

@ -0,0 +1,450 @@
use lib 'inc';
use Test::More;
use strict;
use IO::String;
use LWP::UserAgent;
use LWP::Protocol::PSGI;
use MIME::Base64;
BEGIN {
require 't/test-lib.pm';
}
my $debug = 'error';
my ( $op, $rp, $res );
my %handlerOR = ( op => [], rp => [] );
my $access_token;
LWP::Protocol::PSGI->register(
sub {
my $req = Plack::Request->new(@_);
ok( $req->uri =~ m#http://auth.((?:o|r)p).com(.*)#, ' REST request' );
my $host = $1;
my $url = $2;
my ( $res, $client );
count(1);
if ( $host eq 'op' ) {
pass(" Request from RP to OP, endpoint $url");
$client = $op;
}
elsif ( $host eq 'rp' ) {
pass(' Request from OP to RP');
$client = $rp;
}
else {
fail(' Aborting REST request (external)');
return [ 500, [], [] ];
}
if ( $req->method =~ /^post$/i ) {
my $s = $req->content;
ok(
$res = $client->_post(
$url, IO::String->new($s),
length => length($s),
type => $req->header('Content-Type'),
),
' Execute request'
);
}
else {
ok(
$res = $client->_get(
$url,
custom => {
HTTP_AUTHORIZATION => $req->header('Authorization'),
}
),
' Execute request'
);
}
ok( $res->[0] == 200, ' Response is 200' );
ok( getHeader( $res, 'Content-Type' ) =~ m#^application/json#,
' Content is JSON' )
or explain( $res->[1], 'Content-Type => application/json' );
count(4);
if ( $res->[2]->[0] =~ /"access_token":"(.*?)"/ ) {
$access_token = $1;
pass "Found access_token $access_token";
count(1);
}
return $res;
}
);
# Initialization
ok( $op = op(), 'OP portal' );
ok( $res = $op->_get('/oauth2/jwks'), 'Get JWKS, endpoint /oauth2/jwks' );
expectOK($res);
my $jwks = $res->[2]->[0];
ok(
$res = $op->_get('/.well-known/openid-configuration'),
'Get metadata, endpoint /.well-known/openid-configuration'
);
expectOK($res);
my $metadata = $res->[2]->[0];
count(3);
switch ('rp');
&Lemonldap::NG::Handler::Main::cfgNum( 0, 0 );
ok( $rp = rp( $jwks, $metadata ), 'RP portal' );
count(1);
# Query RP for auth
ok( $res = $rp->_get( '/', accept => 'text/html' ), 'Unauth SP request' );
count(1);
my ( $url, $query ) =
expectRedirection( $res, qr#http://auth.op.com(/oauth2/authorize)\?(.*)$# );
# Push request to OP
switch ('op');
ok( $res = $op->_get( $url, query => $query, accept => 'text/html' ),
"Push request to OP, endpoint $url" );
count(1);
expectOK($res);
# Try to authenticate to OP
$query = "user=french&password=french&$query";
ok(
$res = $op->_post(
$url,
IO::String->new($query),
accept => 'text/html',
length => length($query),
),
"Post authentication, endpoint $url"
);
count(1);
my $idpId = expectCookie($res);
my ( $host, $tmp );
( $host, $tmp, $query ) = expectForm( $res, '#', undef, 'confirm' );
ok(
$res = $op->_post(
$url,
IO::String->new($query),
accept => 'text/html',
cookie => "lemonldap=$idpId",
length => length($query),
),
"Post confirmation, endpoint $url"
);
count(1);
($query) = expectRedirection( $res, qr#^http://auth.rp.com/?\?(.*)$# );
# Push OP response to RP
switch ('rp');
ok( $res = $rp->_get( '/', query => $query, accept => 'text/html' ),
'Call openidconnectcallback on RP' );
count(1);
my $spId = expectCookie($res);
switch ('op');
ok(
$res = $op->_get( '/oauth2/checksession.html', accept => 'text.html' ),
'Check session, endpoint /oauth2/checksession.html'
);
count(1);
expectOK($res);
ok( getHeader( $res, 'Content-Security-Policy' ) !~ /frame-ancestors/,
' Frame can be embedded' )
or explain( $res->[1],
'Content-Security-Policy does not contain a frame-ancestors' );
count(1);
# Verify UTF-8
ok(
$res = $op->_get(
'/oauth2/userinfo', query => 'access_token=' . $access_token,
),
'Get userinfo'
);
ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
or print STDERR $@;
ok( $res->{name} eq 'Frédéric Accents', 'UTF-8 values' )
or explain( $res, 'name => Frédéric Accents' );
count(3);
ok( $res = $op->_get("/sessions/global/$spId"), 'Get UTF-8' );
expectOK($res);
ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
or print STDERR $@;
ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
or explain( $res, 'cn => Frédéric Accents' );
count(3);
switch ('rp');
ok( $res = $rp->_get("/sessions/global/$spId"), 'Get UTF-8' );
expectOK($res);
ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
or print STDERR $@;
ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
or explain( $res, 'cn => Frédéric Accents' );
count(3);
# Logout initiated by RP
ok(
$res = $rp->_get(
'/',
query => 'logout',
cookie => "lemonldap=$spId",
accept => 'text/html'
),
'Query RP for logout'
);
count(1);
( $url, $query ) = expectRedirection( $res,
qr#http://auth.op.com(/oauth2/logout)\?(post_logout_redirect_uri=.+)$# );
# Push logout to OP
switch ('op');
ok(
$res = $op->_get(
$url,
query => $query,
cookie => "lemonldap=$idpId",
accept => 'text/html'
),
"Push logout request to OP, endpoint $url"
);
count(1);
( $host, $tmp, $query ) = expectForm( $res, '#', undef, 'confirm' );
ok(
$res = $op->_post(
$url, IO::String->new($query),
length => length($query),
cookie => "lemonldap=$idpId",
accept => 'text/html',
),
"Confirm logout, endpoint $url"
);
count(1);
( $url, $query ) = expectRedirection( $res, qr#.# );
# Test logout endpoint without session
ok(
$res = $op->_get(
'/oauth2/logout',
accept => 'text/html',
query => 'post_logout_redirect_uri=http://auth.rp.com/?logout=1'
),
'logout endpoint with redirect, endpoint /oauth2/logout'
);
count(1);
expectRedirection( $res, 'http://auth.rp.com/?logout=1' );
ok( $res = $op->_get('/oauth2/logout'),
'logout endpoint, endpoint /oauth2/logout' );
count(1);
expectReject($res);
# Test if logout is done
ok(
$res = $op->_get(
'/', cookie => "lemonldap=$idpId",
),
'Test if user is reject on IdP'
);
count(1);
expectReject($res);
switch ('rp');
ok(
$res = $rp->_get(
'/',
accept => 'text/html',
cookie =>
"lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
),
'Test if user is reject on SP'
);
count(1);
( $url, $query ) =
expectRedirection( $res, qr#^http://auth.op.com(/oauth2/authorize)\?(.*)$# );
# Test if consent was saved
# -------------------------
# Push request to OP
switch ('op');
ok( $res = $op->_get( $url, query => $query, accept => 'text/html' ),
"Push request to OP, endpoint $url" );
count(1);
expectOK($res);
# Try to authenticate to OP
$query = "user=french&password=french&$query";
ok(
$res = $op->_post(
$url,
IO::String->new($query),
accept => 'text/html',
length => length($query),
),
"Post authentication, endpoint $url"
);
count(1);
$idpId = expectCookie($res);
#expectRedirection( $res, qr#^http://auth.rp.com/# );
#print STDERR Dumper($res);
clean_sessions();
done_testing( count() );
sub switch {
my $type = shift;
pass( '==> Switching to ' . uc($type) . ' <==' );
count(1);
@Lemonldap::NG::Handler::Main::_onReload = @{
$handlerOR{$type};
};
}
sub op {
return LLNG::Manager::Test->new( {
ini => {
logLevel => $debug,
domain => 'idp.com',
portal => 'http://auth.op.com/',
authentication => 'Demo',
userDB => 'Same',
issuerDBOpenIDConnectActivation => "1",
restSessionServer => 1,
oidcRPMetaDataExportedVars => {
rp => {
email => "mail",
family_name => "cn",
name => "cn"
}
},
oidcServiceMetaDataIssuer => "http://auth.op.com/",
oidcServiceMetaDataAuthorizeURI => "authorize",
oidcServiceMetaDataCheckSessionURI => "checksession.html",
oidcServiceMetaDataJWKSURI => "jwks",
oidcServiceMetaDataEndSessionURI => "logout",
oidcServiceMetaDataRegistrationURI => "register",
oidcServiceMetaDataTokenURI => "token",
oidcServiceMetaDataUserInfoURI => "userinfo",
oidcServiceAllowHybridFlow => 1,
oidcServiceAllowImplicitFlow => 1,
oidcServiceAllowDynamicRegistration => 1,
oidcServiceAllowAuthorizationCodeFlow => 1,
oidcRPMetaDataOptions => {
rp => {
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
oidcRPMetaDataOptionsClientID => "rpid",
oidcRPMetaDataOptionsIDTokenSignAlg => "none",
oidcRPMetaDataOptionsBypassConsent => 0,
oidcRPMetaDataOptionsClientSecret => "rpsecret",
oidcRPMetaDataOptionsUserIDAttr => "",
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
oidcRPMetaDataOptionsPostLogoutRedirectUris =>
"http://auth.rp.com/?logout=1"
}
},
oidcOPMetaDataOptions => {},
oidcOPMetaDataJSON => {},
oidcOPMetaDataJWKS => {},
oidcServiceMetaDataAuthnContext => {
'loa-4' => 4,
'loa-1' => 1,
'loa-5' => 5,
'loa-2' => 2,
'loa-3' => 3
},
oidcServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt
GMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb
ABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr
8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdykX5rx0h5SslG3jVWYhZ/SOb2aIzO
r0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO8093X5VVk9vaPRg0zxJQ0Do0YLyzkR
isSAIFb0tdKuDnjRGK6y/N2j6At2HjkxntbtGQIDAQABAoIBADYq6LxJd977LWy3
0HT9nboFPIf+SM2qSEc/S5Po+6ipJBA4ZlZCMf7dHa6znet1TDpqA9iQ4YcqIHMH
6xZNQ7hhgSAzG9TrXBHqP+djDlrrGWotvjuy0IfS9ixFnnLWjrtAH9afRWLuG+a/
NHNC1M6DiiTE0TzL/lpt/zzut3CNmWzH+t19X6UsxUg95AzooEeewEYkv25eumWD
mfQZfCtSlIw1sp/QwxeJa/6LJw7KcPZ1wXUm1BN0b9eiKt9Cmni1MS7elgpZlgGt
xtfGTZtNLQ7bgDiM8MHzUfPBhbceNSIx2BeCuOCs/7eaqgpyYHBbAbuBQex2H61l
Lcc3Tz0CgYEA4Kx/avpCPxnvsJ+nHVQm5d/WERuDxk4vH1DNuCYBvXTdVCGADf6a
F5No1JcTH3nPTyPWazOyGdT9LcsEJicLyD8vCM6hBFstG4XjqcAuqG/9DRsElpHQ
yi1zc5DNP7Vxmiz9wII0Mjy0abYKtxnXh9YK4a9g6wrcTpvShhIcIb8CgYEAzGzG
lorVCfX9jXULIznnR/uuP5aSnTEsn0xJeqTlbW0RFWLdj8aIL1peirh1X89HroB9
GeTNqEJXD+3CVL2cx+BRggMDUmEz4hR59meZCDGUyT5fex4LIsceb/ESUl2jo6Sw
HXwWbN67rQ55N4oiOcOppsGxzOHkl5HdExKidycCgYEAr5Qev2tz+fw65LzfzHvH
Kj4S/KuT/5V6He731cFd+sEpdmX3vPgLVAFPG1Q1DZQT/rTzDDQKK0XX1cGiLG63
NnaqOye/jbfzOF8Z277kt51NFMDYhRLPKDD82IOA4xjY/rPKWndmcxwdob8yAIWh
efY76sMz6ntCT+xWSZA9i+ECgYBWMZM2TIlxLsBfEbfFfZewOUWKWEGvd9l5vV/K
D5cRIYivfMUw5yPq2267jPUolayCvniBH4E7beVpuPVUZ7KgcEvNxtlytbt7muil
5Z6X3tf+VodJ0Swe2NhTmNEB26uwxzLe68BE3VFCsbSYn2y48HAq+MawPZr18bHG
ZfgMxwKBgHHRg6HYqF5Pegzk1746uH2G+OoCovk5ylGGYzcH2ghWTK4agCHfBcDt
EYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy
PAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl
-----END RSA PRIVATE KEY-----
",
oidcServicePublicKeySig => "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/
/5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T
rH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH
1caJ8lmiERFj7IvNKqEhzAk0pyDr8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdy
kX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80
93X5VVk9vaPRg0zxJQ0Do0YLyzkRisSAIFb0tdKuDnjRGK6y/N2j6At2Hjkxntbt
GQIDAQAB
-----END PUBLIC KEY-----
",
}
}
);
}
sub rp {
my ( $jwks, $metadata ) = @_;
return LLNG::Manager::Test->new( {
ini => {
logLevel => $debug,
domain => 'rp.com',
portal => 'http://auth.rp.com/',
authentication => 'OpenIDConnect',
userDB => 'Same',
restSessionServer => 1,
oidcOPMetaDataExportedVars => {
op => {
cn => "name",
uid => "sub",
sn => "family_name",
mail => "email"
}
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 0,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,
oidcOPMetaDataOptionsMaxAge => 30,
oidcOPMetaDataOptionsDisplay => "",
oidcOPMetaDataOptionsClientID => "rpid",
oidcOPMetaDataOptionsConfigurationURI =>
"https://auth.op.com/.well-known/openid-configuration"
}
},
oidcOPMetaDataJWKS => {
op => $jwks,
},
oidcOPMetaDataJSON => {
op => $metadata,
}
}
}
);
}

1
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
View File

@ -426,6 +426,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",

1
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-hybrid.t
View File

@ -333,6 +333,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",

1
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t
View File

@ -315,6 +315,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",

3
lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-sorted.t
View File

@ -241,6 +241,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",
@ -253,6 +254,7 @@ sub rp {
"https://auth.op.com/.well-known/openid-configuration"
},
op2 => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",
@ -264,6 +266,7 @@ sub rp {
"https://auth.op.com/.well-known/openid-configuration"
},
op3 => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",

3
lemonldap-ng-portal/t/32-CAS-10.t
View File

@ -14,6 +14,9 @@ my $debug = 'error';
my ( $issuer, $res );
my %handlerOR = ( issuer => [] );
eval { require XML::Simple };
plan skip_all => "Missing dependencies: $@" if ($@);
ok( $issuer = issuer(), 'Issuer portal' );
count(1);
switch ('issuer');

1
lemonldap-ng-portal/t/32-OIDC-RP-rule.t
View File

@ -243,6 +243,7 @@ sub rp {
},
oidcOPMetaDataOptions => {
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsClientSecret => "rpsecret",
oidcOPMetaDataOptionsScope => "openid profile",

9
lemonldap-ng-portal/t/34-Auth-Proxy-and-REST-Server.t
View File

@ -195,7 +195,14 @@ if ( ok( ref($res) eq 'HASH', ' Result is an hash' ) ) {
}
count(3);
ok($res=Lemonldap::NG::Common::Apache::Session::REST->get_key_from_all_sessions( {baseUrl => 'http://auth.idp.com/sessions/global/'},sub{return 'a'}),'Search all sessions with a code');
ok(
$res =
Lemonldap::NG::Common::Apache::Session::REST->get_key_from_all_sessions(
{ baseUrl => 'http://auth.idp.com/sessions/global/' },
sub { return 'a' }
),
'Search all sessions with a code'
);
if ( ok( ref($res) eq 'HASH', ' Result is an hash' ) ) {
my $tmp = 1;

4
lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST-with-WAYF.t
View File

@ -58,9 +58,9 @@ LWP::Protocol::PSGI->register(
);
SKIP: {
eval "use Lasso";
eval "use Lasso;use XML::Simple";
if ($@) {
skip 'Lasso not found', $maintests;
skip 'Lasso or XML::Simple not found', $maintests;
}
# Initialization

4
lemonldap-ng-portal/t/37-CAS-App-to-SAML-IdP-POST.t
View File

@ -58,9 +58,9 @@ LWP::Protocol::PSGI->register(
);
SKIP: {
eval "use Lasso";
eval "use Lasso;use XML::Simple";
if ($@) {
skip 'Lasso not found', $maintests;
skip 'Lasso or XML::Simple not found', $maintests;
}
# Initialization

4
lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server-with-Choice.t
View File

@ -58,9 +58,9 @@ LWP::Protocol::PSGI->register(
);
SKIP: {
eval "use Lasso";
eval "use Lasso;use XML::Simple";
if ($@) {
skip 'Lasso not found', $maintests;
skip 'Lasso or XML::Simple not found', $maintests;
}
# Initialization

4
lemonldap-ng-portal/t/37-SAML-SP-POST-to-CAS-server.t
View File

@ -58,9 +58,9 @@ LWP::Protocol::PSGI->register(
);
SKIP: {
eval "use Lasso";
eval "use Lasso;use XML::Simple";
if ($@) {
skip 'Lasso not found', $maintests;
skip 'Lasso or XML::Simple not found', $maintests;
}
# Initialization

3
lemonldap-ng-portal/t/41-Captcha.t
View File

@ -35,7 +35,8 @@ SKIP: {
my $token;
ok( $token = $1, ' Token value is defined' );
ok( $res->[2]->[0] =~ m#<img src="data:image/png;base64#,
' Captcha image inserted' ) or explain($res->[2]->[0], '<img src="data:image/png;base64');
' Captcha image inserted' )
or explain( $res->[2]->[0], '<img src="data:image/png;base64' );
# Try to get captcha value

2
lemonldap-ng-portal/t/42-Register-Demo-with-captcha.t
View File

@ -15,7 +15,7 @@ my $mailSend = 0;
SKIP: {
eval
'require Email::Sender::Simple;use GD::SecurityImage;use Image::Magick;';
'require Email::Sender::Simple;use GD::SecurityImage;use Image::Magick;use Text::Unidecode';
if ($@) {
skip 'Missing dependencies', $maintests;
}

2
lemonldap-ng-portal/t/42-Register-Demo-with-token.t
View File

@ -13,7 +13,7 @@ my $maintests = 12;
my ( $res, $user, $pwd );
SKIP: {
eval 'require Email::Sender::Simple';
eval 'require Email::Sender::Simple;use Text::Unidecode';
if ($@) {
skip 'Missing dependencies', $maintests;
}

2
lemonldap-ng-portal/t/42-Register-Demo.t
View File

@ -13,7 +13,7 @@ my $maintests = 9;
my ( $res, $user, $pwd );
SKIP: {
eval 'require Email::Sender::Simple';
eval 'require Email::Sender::Simple; use Text::Unidecode';
if ($@) {
skip 'Missing dependencies', $maintests;
}

2
lemonldap-ng-portal/t/42-Register-Security.t
View File

@ -13,7 +13,7 @@ my $maintests = 5;
my ( $res, $user, $pwd );
SKIP: {
eval 'require Email::Sender::Simple';
eval 'require Email::Sender::Simple;use Text::Unidecode';
if ($@) {
skip 'Missing dependencies', $maintests;
}

24
lemonldap-ng-portal/t/68-ContextSwitching-with-Logout.t
View File

@ -57,13 +57,16 @@ ok(
);
count(1);
expectOK($res);
ok( $res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> rtyler%,
'Connected as rtyler' )
or print STDERR Dumper( $res->[2]->[0] );
ok(
$res->[2]->[0] =~ m%<span trspan="connectedAs">Connected as</span> rtyler%,
'Connected as rtyler'
) or print STDERR Dumper( $res->[2]->[0] );
expectAuthenticatedAs( $res, 'rtyler' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">contextSwitching_ON</span>%,
'Connected as rtyler' )
or print STDERR Dumper( $res->[2]->[0] );
ok(
$res->[2]->[0] =~
m%<span trspan="contextSwitching_ON">contextSwitching_ON</span>%,
'Connected as rtyler'
) or print STDERR Dumper( $res->[2]->[0] );
count(2);
# ContextSwitching form -> PE_OK
@ -80,7 +83,8 @@ count(1);
my ( $host, $url, $query ) =
expectForm( $res, undef, '/switchcontext', 'spoofId' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%, 'Found trspan="contextSwitching_ON"' )
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_ON">%,
'Found trspan="contextSwitching_ON"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_ON"' );
$query =~ s/spoofId=/spoofId=dwho/;
ok(
@ -104,7 +108,8 @@ ok(
);
count(3);
expectAuthenticatedAs( $res, 'dwho' );
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_OFF">%, 'Found trspan="contextSwitching_OFF"' )
ok( $res->[2]->[0] =~ m%<span trspan="contextSwitching_OFF">%,
'Found trspan="contextSwitching_OFF"' )
or explain( $res->[2]->[0], 'trspan="contextSwitching_OFF"' );
ok(
$res = $client->_get(
@ -126,7 +131,8 @@ ok( $res->[2]->[0] =~ m%<td scope="row">dwho</td>%, 'Found value dwho' )
or explain( $res->[2]->[0], 'Value dwho' );
ok( $res->[2]->[0] =~ m%<td scope="row">mail</td>%, 'Found attribute mail' )
or explain( $res->[2]->[0], 'Attribute mail' );
ok( $res->[2]->[0] =~ m%<td scope="row">testPrefix__session_id</td>%, 'Found spoofed _id_session' )
ok( $res->[2]->[0] =~ m%<td scope="row">testPrefix__session_id</td>%,
'Found spoofed _id_session' )
or explain( $res->[2]->[0], 'Spoofed _id_session' );
count(5);

6
lemonldap-ng-portal/t/70-2F-TOTP-with-TTL-and-XML.t
View File

@ -7,7 +7,11 @@ my $maintests = 20;
my $file = '20190616_dwho_Tm90aWZpY2F0aW9uX1NG.json';
SKIP: {
eval { require Convert::Base32 };
eval {
require Convert::Base32;
require XML::LibXML;
require XML::LibXSLT;
};
if ($@) {
skip 'Convert::Base32 is missing', $maintests;
}

7
lemonldap-ng-portal/t/test-ldap.pm
View File

@ -3,11 +3,12 @@
if ( $ENV{LLNGTESTLDAP} ) {
my $slapd_bin = $ENV{LLNGTESTLDAP_SLAPD_BIN} || '/usr/sbin/slapd';
my $slapadd_bin = $ENV{LLNGTESTLDAP_SLAPADD_BIN} || '/usr/sbin/slapadd';
my $slapd_schema_dir =
( $ENV{LLNGTESTLDAP_SCHEMA_DIR}
my $slapd_schema_dir = (
$ENV{LLNGTESTLDAP_SCHEMA_DIR}
and -d $ENV{LLNGTESTLDAP_SCHEMA_DIR} ? $ENV{LLNGTESTLDAP_SCHEMA_DIR}
: -d '/etc/slapd/schema' ? '/etc/slapd/schema'
: '/etc/ldap/schema' );
: '/etc/ldap/schema'
);
eval { mkdir 't/testslapd/slapd.d' };
eval { mkdir 't/testslapd/data' };
system('cp t/testslapd/slapd.ldif t/testslapd/slapd-test.ldif');