Unit tests for SAML auth hooks (#2730)

2022-03-17 17:08:32 +01:00 · 2022-03-17 17:08:32 +01:00 · 6ccdcec181
parent 8d2b2c64ee
commit 6ccdcec181
3 changed files with 35 additions and 190 deletions
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-Hook.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-Hook.t
@ -1,185 +0,0 @@
-use lib 'inc';
-use Test::More;
-use strict;
-use IO::String;
-use LWP::UserAgent;
-use LWP::Protocol::PSGI;
-use MIME::Base64;
-
-BEGIN {
-    require 't/test-lib.pm';
-    require 't/saml-lib.pm';
-}
-
-my $maintests = 3;
-my $debug     = 'error';
-my ( $issuer, $sp, $res );
-
-# Redefine LWP methods for tests
-LWP::Protocol::PSGI->register(
-    sub {
-        my $req = Plack::Request->new(@_);
-        fail('POST should not launch SOAP requests');
-        count(1);
-        return [ 500, [], [] ];
-    }
-);
-
-SKIP: {
-    eval "use Lasso";
-    if ($@) {
-        skip 'Lasso not found', $maintests;
-    }
-
-    # Initialization
-    $issuer = register( 'issuer', \&issuer );
-    $sp     = register( 'sp',     \&sp );
-
-    my ( $url, $s, $pdata, $host );
-
-    # Simple SP access
-    ok(
-        $res = $sp->_get(
-            '/', accept => 'text/html',
-        ),
-        'Unauth SP request'
-    );
-    expectOK($res);
-    ( $host, $url, $s ) =
-      expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
-        'SAMLRequest' );
-
-    # Push SAML request to IdP
-    ok(
-        $res = $issuer->_post(
-            $url,
-            IO::String->new($s),
-            accept => 'text/html',
-            length => length($s)
-        ),
-        'Post SAML request to IdP'
-    );
-    expectOK($res);
-    $pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );
-
-    # Try to authenticate with an authorized user to IdP
-    $s = "user=french&password=french&$s";
-    ok(
-        $res = $issuer->_post(
-            $url,
-            IO::String->new($s),
-            accept => 'text/html',
-            cookie => $pdata,
-            length => length($s),
-        ),
-        'Post authentication'
-    );
-    my $idpId = expectCookie($res);
-
-    # Expect failure triggered by the hook
-    expectPortalError( $res, -999 );
-}
-
-count($maintests);
-clean_sessions();
-done_testing( count() );
-
-sub issuer {
-    return LLNG::Manager::Test->new( {
-            ini => {
-                logLevel               => $debug,
-                domain                 => 'idp.com',
-                portal                 => 'http://auth.idp.com',
-                authentication         => 'Demo',
-                userDB                 => 'Same',
-                issuerDBSAMLActivation => 1,
-                issuerDBSAMLRule       => '$uid eq "french"',
-                samlSPMetaDataOptions  => {
-                    'sp.com' => {
-                        samlSPMetaDataOptionsEncryptionMode           => 'none',
-                        samlSPMetaDataOptionsSignSSOMessage           => 1,
-                        samlSPMetaDataOptionsSignSLOMessage           => 1,
-                        samlSPMetaDataOptionsCheckSSOMessageSignature => 1,
-                        samlSPMetaDataOptionsCheckSLOMessageSignature => 1,
-                    }
-                },
-                samlSPMetaDataExportedAttributes => {
-                    'sp.com' => {
-                        cn =>
-'1;cn;urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
-                        uid =>
-'1;uid;urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
-                    }
-                },
-                samlOrganizationDisplayName => "IDP",
-                samlOrganizationName        => "IDP",
-                samlOrganizationURL         => "http://www.idp.com/",
-                samlServicePrivateKeyEnc    => saml_key_idp_private_enc,
-                samlServicePrivateKeySig    => saml_key_idp_private_sig,
-                samlServicePublicKeyEnc     => saml_key_idp_public_enc,
-                samlServicePublicKeySig     => saml_key_idp_public_sig,
-                samlSPMetaDataXML           => {
-                    "sp.com" => {
-                        samlSPMetaDataXML =>
-                          samlSPMetaDataXML( 'sp', 'HTTP-POST' )
-                    },
-                },
-                customPlugins => 't::SamlHookPlugin',
-            }
-        }
-    );
-}
-
-sub sp {
-    return LLNG::Manager::Test->new( {
-            ini => {
-                logLevel                          => $debug,
-                domain                            => 'sp.com',
-                portal                            => 'http://auth.sp.com',
-                authentication                    => 'SAML',
-                userDB                            => 'Same',
-                issuerDBSAMLActivation            => 0,
-                restSessionServer                 => 1,
-                samlIDPMetaDataExportedAttributes => {
-                    idp => {
-                        mail => "0;mail;;",
-                        uid  => "1;uid",
-                        cn   => "0;cn"
-                    }
-                },
-                samlIDPMetaDataOptions => {
-                    idp => {
-                        samlIDPMetaDataOptionsEncryptionMode => 'none',
-                        samlIDPMetaDataOptionsSSOBinding     => 'post',
-                        samlIDPMetaDataOptionsSLOBinding     => 'post',
-                        samlIDPMetaDataOptionsSignSSOMessage => 1,
-                        samlIDPMetaDataOptionsSignSLOMessage => 1,
-                        samlIDPMetaDataOptionsCheckSSOMessageSignature => 1,
-                        samlIDPMetaDataOptionsCheckSLOMessageSignature => 1,
-                        samlIDPMetaDataOptionsForceUTF8                => 1,
-                    }
-                },
-                samlIDPMetaDataExportedAttributes => {
-                    idp => {
-                        "uid" => "0;uid;;",
-                        "cn"  => "1;cn;;",
-                    },
-                },
-                samlIDPMetaDataXML => {
-                    idp => {
-                        samlIDPMetaDataXML =>
-                          samlIDPMetaDataXML( 'idp', 'HTTP-POST' )
-                    }
-                },
-                samlOrganizationDisplayName => "SP",
-                samlOrganizationName        => "SP",
-                samlOrganizationURL         => "http://www.sp.com",
-                samlServicePublicKeySig     => saml_key_sp_public_sig,
-                samlServicePrivateKeyEnc    => saml_key_sp_private_enc,
-                samlServicePrivateKeySig    => saml_key_sp_private_sig,
-                samlServicePublicKeyEnc     => saml_key_sp_public_enc,
-                samlSPSSODescriptorAuthnRequestsSigned => 1,
-            },
-        }
-    );
-}
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST.t
@ -11,7 +11,7 @@ BEGIN {
    require 't/saml-lib.pm';
 }

-my $maintests = 22;
+my $maintests = 25;
 my $debug     = 'error';
 my ( $issuer, $sp, $res );

@ -61,6 +61,9 @@ SKIP: {
    my ( $host, $url, $s ) =
      expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn',
        'SAMLRequest' );
+    my $pdata_hash = expectPdata($res);
+    is( $pdata_hash->{genRequestHookCalled},
+        1, 'samlGenerateRequestHook called' );

    # Push SAML request to IdP
    switch ('issuer');
@ -141,6 +144,10 @@ SKIP: {
      expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleSignOnPost',
        'SAMLResponse' );

+    $pdata_hash = expectPdata($res);
+    is( $pdata_hash->{gotRequestHookCalled},
+        1, 'samlGotRequestHookCalled called' );
+
    # Post SAML response to SP
    switch ('sp');
    ok(
@ -167,6 +174,7 @@ SKIP: {
    expectOK($res);
    ok( $res = eval { JSON::from_json( $res->[2]->[0] ) }, ' GET JSON' )
      or print STDERR $@;
+    is( $res->{gotResponseHookCalled}, 1, 'samlGotResponseHook called' );
    ok( $res->{cn} eq 'Frédéric Accents', 'UTF-8 values' )
      or explain( $res, 'cn => Frédéric Accents' );

@ -284,6 +292,7 @@ sub issuer {
                          samlSPMetaDataXML( 'sp', 'HTTP-POST' )
                    },
                },
+                customPlugins => 't::SamlHookPlugin',
            }
        }
    );
@ -338,6 +347,8 @@ sub sp {
                samlServicePrivateKeySig    => saml_key_sp_private_sig,
                samlServicePublicKeyEnc     => saml_key_sp_public_enc,
                samlSPSSODescriptorAuthnRequestsSigned => 1,
+                customPlugins                          => 't::SamlHookPlugin',
+
            },
        }
    );
--- a/lemonldap-ng-portal/t/SamlHookPlugin.pm
+++ b/lemonldap-ng-portal/t/SamlHookPlugin.pm
@ -3,13 +3,32 @@ package t::SamlHookPlugin;
 use Mouse;
 extends 'Lemonldap::NG::Portal::Main::Plugin';

-use constant hook => { samlGotAuthnRequest => 'gotRequest', };
+use constant hook => {
+    samlGotAuthnRequest      => 'gotRequest',
+    samlGenerateAuthnRequest => 'genRequest',
+    samlGotAuthnResponse     => 'gotResponse',
+};

 sub gotRequest {
-    my ( $self, $res, $login ) = @_;
+    my ( $self, $req, $login ) = @_;

-    # Return a weird
-    return -999;
+    $req->pdata->{gotRequestHookCalled} = 1;
+    return 0;
+}
+
+sub genRequest {
+    my ( $self, $req, $idp, $login ) = @_;
+
+    $req->pdata->{genRequestHookCalled} = 1;
+    return 0;
+}
+
+sub gotResponse {
+    my ( $self, $req, $idp, $login ) = @_;
+
+    $req->sessionInfo->{gotResponseHookCalled} = 1;
+    $req->pdata->{gotResponseHookCalled}       = 1;
+    return 0;
 }

 1;