From 5202cd6f7cabe7fc9ab4ea62db721c55eceac346 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Sat, 31 Dec 2016 14:40:26 +0000 Subject: [PATCH] OIDC in progress (#595) --- .../Lemonldap/NG/Portal/Auth/OpenIDConnect.pm | 6 +- .../t/32-Auth-and-issuer-OIDC.t | 88 +++++++++++++++---- 2 files changed, 72 insertions(+), 22 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm index 46ae349b7..83d8a147a 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm @@ -1,4 +1,4 @@ -package Lemonldap::NG::Portal::Auth::SAML; +package Lemonldap::NG::Portal::Auth::OpenIDConnect; use strict; use Mouse; @@ -22,7 +22,7 @@ has opNumber => ( is => 'rw', default => 0 ); sub init { my ($self) = @_; - return 0 unless ( $self->loadOPs and $self->refreshJWSdata ); + return 0 unless ( $self->loadOPs and $self->refreshJWKSdata ); my @tab = ( sort keys %{ $self->oidcOPList } ); unless (@tab) { $self->lmLog( "No OP configured", 'error' ); @@ -31,7 +31,7 @@ sub init { $self->opNumber( scalar @tab ); my @list = (); - my $portalPath = $self->{portal}; + my $portalPath = $self->conf->{portal}; $portalPath =~ s#^https?://[^/]+/?#/#; foreach (@tab) { diff --git a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC.t index c0afd3d7b..ffdd106ae 100644 --- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC.t +++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC.t @@ -12,20 +12,31 @@ my ( $issuer, $sp, $res ); my %handlerOR = ( issuer => [], sp => [] ); # Initialization -ok( $issuer = issuer(), 'Issuer portal' ); +ok( $issuer = issuer(), 'OP portal' ); + +ok( $res = $issuer->_get('/oauth2/jwks'), 'Get JWKS' ); +my $jwks = $res->[2]->[0]; + +ok( $res = $issuer->_get('/.well-known/openid-configuration'), 'Get metadata' ); +my $metadata = $res->[2]->[0]; +count(3); + +switch ('sp'); +ok( $sp = sp( $jwks, $metadata ), 'RP portal' ); count(1); -ok($res=$issuer->_get('/oauth2/jwks'),'Get JWKS'); -count(1); - -ok($res=$issuer->_get('/.well-known/openid-configuration'),'Get metadata'); -count(1); - -print STDERR Dumper($res); +#print STDERR Dumper( $jwks, $metadata ); clean_sessions(); done_testing( count() ); +sub switch { + my $type = shift; + @Lemonldap::NG::Handler::Main::Reload::_onReload = @{ + $handlerOR{$type}; + }; +} + sub issuer { return LLNG::Manager::Test->new( { @@ -57,13 +68,13 @@ sub issuer { oidcServiceAllowAuthorizationCodeFlow => 1, oidcRPMetaDataOptions => { rp => { - oidcRPMetaDataOptionsDisplayName => "RP", - oidcRPMetaDataOptionsIDTokenExpiration => 3600, - oidcRPMetaDataOptionsClientID => "rp", - oidcRPMetaDataOptionsIDTokenSignAlg => "HS512", - oidcRPMetaDataOptionsBypassConsent => 0, - oidcRPMetaDataOptionsClientSecret => "rp", - oidcRPMetaDataOptionsUserIDAttr => "", + oidcRPMetaDataOptionsDisplayName => "RP", + oidcRPMetaDataOptionsIDTokenExpiration => 3600, + oidcRPMetaDataOptionsClientID => "rpid", + oidcRPMetaDataOptionsIDTokenSignAlg => "HS512", + oidcRPMetaDataOptionsBypassConsent => 0, + oidcRPMetaDataOptionsClientSecret => "rpsecret", + oidcRPMetaDataOptionsUserIDAttr => "", oidcRPMetaDataOptionsAccessTokenExpiration => 3600 } }, @@ -78,8 +89,7 @@ sub issuer { 'loa-2' => 2, 'loa-3' => 3 }, - oidcServicePrivateKeySig => -"-----BEGIN RSA PRIVATE KEY----- + oidcServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt GMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb ABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr @@ -107,8 +117,7 @@ EYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy PAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl -----END RSA PRIVATE KEY----- ", - oidcServicePublicKeySig => -"-----BEGIN PUBLIC KEY----- + oidcServicePublicKeySig => "-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/ /5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T rH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH @@ -122,3 +131,44 @@ GQIDAQAB } ); } + +sub sp { + my ( $jwks, $metadata ) = @_; + return LLNG::Manager::Test->new( + { + ini => { + logLevel => $debug, + domain => 'rp.com', + portal => 'http://auth.rp.com', + authentication => 'OpenIDConnect', + userDB => 'OpenIDConnect', + oidcOPMetaDataExportedVars => { + op => { + cn => "name", + uid => "sub", + sn => "family_name", + mail => "email" + } + }, + oidcOPMetaDataOptions => { + op => { + oidcOPMetaDataOptionsJWKSTimeout => 0, + oidcOPMetaDataOptionsClientSecret => "rpsecret", + oidcOPMetaDataOptionsScope => "openid profile", + oidcOPMetaDataOptionsStoreIDToken => 0, + oidcOPMetaDataOptionsDisplay => "", + oidcOPMetaDataOptionsClientID => "rpid", + oidcOPMetaDataOptionsConfigurationURI => + "https://auth.op.com/.well-known/openid-configuration" + } + }, + oidcOPMetaDataJWKS => { + op => $jwks, + }, + oidcOPMetaDataJSON => { + op => $metadata, + } + } + } + ); +}