diff --git a/lemonldap-ng-portal/t/30-SAML-Macros.t b/lemonldap-ng-portal/t/30-SAML-Macros.t
index 80d9c4c4e..55aa30e8e 100644
--- a/lemonldap-ng-portal/t/30-SAML-Macros.t
+++ b/lemonldap-ng-portal/t/30-SAML-Macros.t
@@ -14,7 +14,7 @@ BEGIN {
my $debug = 'error';
my ( $issuer, $res );
-my $maintests = 6;
+my $maintests = 7;
SKIP: {
eval "use Lasso";
@@ -67,6 +67,9 @@ SKIP: {
{
is( $value->textContent, 'Accents', 'Check Attribute' );
}
+ foreach my $value ( $xpc->findnodes('//saml:NameID') ) {
+ is( $value->textContent, 'customfrench', 'Check NameID from macro' );
+ }
clean_sessions();
}
@@ -84,7 +87,8 @@ sub issuer {
issuerDBSAMLActivation => 1,
samlSPMetaDataMacros => {
'sp.com' => {
- extracted_sn => '(split(/\s/, $cn))[1]'
+ extracted_sn => '(split(/\s/, $cn))[1]',
+ customnameid => '"custom".$uid',
}
},
samlSPMetaDataOptions => {
@@ -95,6 +99,7 @@ sub issuer {
samlSPMetaDataOptionsSignSLOMessage => 1,
samlSPMetaDataOptionsCheckSSOMessageSignature => 1,
samlSPMetaDataOptionsCheckSLOMessageSignature => 1,
+ samlSPMetaDataOptionsNameIDSessionKey => 'customnameid',
}
},
samlSPMetaDataExportedAttributes => {
diff --git a/lemonldap-ng-portal/t/32-CAS-Macros.t b/lemonldap-ng-portal/t/32-CAS-Macros.t
index a6f09b440..da32db9ed 100644
--- a/lemonldap-ng-portal/t/32-CAS-Macros.t
+++ b/lemonldap-ng-portal/t/32-CAS-Macros.t
@@ -74,7 +74,9 @@ expectOK($res);
count(1);
ok( $res->[2]->[0] =~ m#Accents#, "Found macro attribute" );
-count(1);
+ok( $res->[2]->[0] =~ m#customfrench#,
+ "Found cas:user macro value" );
+count(2);
clean_sessions();
done_testing( count() );
@@ -92,6 +94,7 @@ sub issuer {
casAppMetaDataOptions => {
sp => {
casAppMetaDataOptionsService => 'http://auth.sp.com/',
+ casAppMetaDataOptionsUserAttribute => 'customname',
},
},
casAppMetaDataExportedVars => {
@@ -105,6 +108,7 @@ sub issuer {
casAppMetaDataMacros => {
sp => {
extracted_sn => '(split(/\s/, $cn))[1]',
+ customname => '"custom".$uid',
}
},
casAccessControlPolicy => 'error',
diff --git a/lemonldap-ng-portal/t/32-OIDC-Macro.t b/lemonldap-ng-portal/t/32-OIDC-Macro.t
index ea38a804a..b562f10b5 100644
--- a/lemonldap-ng-portal/t/32-OIDC-Macro.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Macro.t
@@ -88,6 +88,7 @@ ok(
my $userinfo = JSON::from_json( $res->[2]->[0] );
is( $userinfo->{family_name}, 'Accents', 'Correct macro value' );
+is( $userinfo->{sub}, 'customfrench', 'Sub macro correctly evaluated' );
clean_sessions();
done_testing();
@@ -123,6 +124,7 @@ sub op {
oidcRPMetaDataMacros => {
rp => {
extract_sn => '(split(/\s/, $cn))[1]',
+ custom_sub => '"custom".$uid',
}
},
oidcRPMetaDataOptions => {
@@ -133,7 +135,7 @@ sub op {
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
oidcRPMetaDataOptionsBypassConsent => 1,
oidcRPMetaDataOptionsClientSecret => "rpsecret",
- oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsUserIDAttr => "custom_sub",
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
}
},
diff --git a/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t b/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
index f925d9929..2f600327a 100644
--- a/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
@@ -41,7 +41,12 @@ my $op = LLNG::Manager::Test->new( {
oidcServiceAllowImplicitFlow => 1,
oidcServiceAllowDynamicRegistration => 1,
oidcServiceAllowAuthorizationCodeFlow => 1,
- oidcRPMetaDataOptions => {
+ oidcRPMetaDataMacros => {
+ rp => {
+ custom_sub => '"custom".$uid',
+ }
+ },
+ oidcRPMetaDataOptions => {
rp => {
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
@@ -49,7 +54,7 @@ my $op = LLNG::Manager::Test->new( {
oidcRPMetaDataOptionsAllowOffline => 1,
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
oidcRPMetaDataOptionsClientSecret => "rpsecret",
- oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsUserIDAttr => "custom_sub",
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
oidcRPMetaDataOptionsBypassConsent => 1,
oidcRPMetaDataOptionsIDTokenForceClaims => 1,
@@ -119,12 +124,11 @@ my $id_token = $json->{id_token};
ok( $access_token, "Got access token" );
ok( $refresh_token, "Got refresh token" );
ok( $id_token, "Got ID token" );
-count(3);
my $id_token_payload = id_token_payload($id_token);
is( $id_token_payload->{name}, 'Frédéric Accents',
'Found claim in ID token' );
-count(1);
+is( $id_token_payload->{sub}, 'customfrench', 'Found sub in ID token' );
# Get userinfo
$res = $op->_post(
@@ -140,7 +144,7 @@ $res = $op->_post(
$json = expectJSON($res);
ok( $json->{'name'} eq "Frédéric Accents", 'Got User Info' );
-count(1);
+ok( $json->{'sub'} eq "customfrench", 'Got User Info' );
$op->logout($idpId);
@@ -160,7 +164,6 @@ ok(
),
"Refresh access token (after logout)"
);
-count(1);
expectOK($res);
$json = expectJSON($res);
@@ -170,12 +173,11 @@ $id_token = $json->{id_token};
ok( $access_token, "Got refreshed Access token" );
ok( $id_token, "Got refreshed ID token" );
ok( !defined $refresh_token2, "Refresh token not present" );
-count(3);
$id_token_payload = id_token_payload($id_token);
is( $id_token_payload->{name}, 'Frédéric Accents',
'Found claim in ID token' );
-count(1);
+is( $id_token_payload->{sub}, 'customfrench', 'Found sub in ID token' );
## Get userinfo again
ok(
@@ -191,11 +193,10 @@ ok(
"Post new access token"
);
expectOK($res);
-count(1);
$json = expectJSON($res);
ok( $json->{name} eq "Frédéric Accents", "Correct user info" );
-count(1);
+ok( $json->{'sub'} eq "customfrench", 'Got User Info' );
# Make sure offline session is still valid long after natural session expiration time
@@ -215,7 +216,6 @@ ok(
),
"Refresh access token (in the future)"
);
-count(1);
expectOK($res);
$json = expectJSON($res);
@@ -225,7 +225,6 @@ $id_token = $json->{id_token};
ok( $access_token, "Got refreshed Access token" );
ok( $id_token, "Got refreshed ID token" );
ok( !defined $refresh_token2, "Refresh token not present" );
-count(3);
$id_token_payload = id_token_payload($id_token);
is( $id_token_payload->{name}, 'Frédéric Accents',
@@ -240,7 +239,6 @@ ok( (
);
ok( ( grep { $_ eq "urn:extra2" } @{ $id_token_payload->{aud} } ),
'Check for additional audiences' );
-count(4);
## Get userinfo again
ok(
@@ -256,11 +254,10 @@ ok(
"Post new access token"
);
expectOK($res);
-count(1);
$json = expectJSON($res);
ok( $json->{name} eq "Frédéric Accents", "Correct user info" );
-count(1);
+ok( $json->{'sub'} eq "customfrench", 'Got User Info' );
## Test introspection of refreshed token #2171
my $req = 'client_id=rpid&client_secret=rpsecret&token=' . $access_token;
@@ -273,18 +270,16 @@ ok(
),
"Post new access token"
);
-count(1);
$json = expectJSON($res);
is( $json->{active}, 1, 'Token is active' );
is( $json->{client_id}, 'rpid', 'Introspection contains client_id' );
-is( $json->{sub}, 'french', 'Introspection contains sub' );
+is( $json->{sub}, 'customfrench', 'Introspection contains sub' );
# #2168
ok( ( grep { $_ eq "!weird:scope.name~" } ( split /\s+/, $json->{scope} ) ),
"Scope contains weird scope name" );
-count(4);
clean_sessions();
-done_testing( count() );
+done_testing();
diff --git a/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t b/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
index 6b729cf08..1449b0af8 100644
--- a/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
@@ -119,6 +119,7 @@ ok( $refresh_token, "Got refresh token" );
ok( $id_token, "Got ID token" );
my $id_token_payload = id_token_payload($id_token);
+is( $id_token_payload->{sub}, 'french', 'Found sub in ID token' );
is( $id_token_payload->{name}, 'Frédéric Accents',
'Found claim in ID token' );
ok( ( grep { $_ eq "rpid" } @{ $id_token_payload->{aud} } ),
@@ -145,6 +146,7 @@ $res = $op->_post(
$json = expectJSON($res);
+ok( $json->{'sub'} eq "french", 'Got User Info' );
ok( $json->{'name'} eq "Frédéric Accents", 'Got User Info' );
# Skip ahead in time
@@ -189,6 +191,7 @@ ok( $id_token, "Got refreshed ID token" );
ok( !defined $json->{refresh_token}, "Refresh token not present" );
$id_token_payload = id_token_payload($id_token);
+is( $id_token_payload->{sub}, 'french', 'Found sub in ID token' );
is( $id_token_payload->{name}, 'Frédéric Accents',
'Found claim in ID token' );
@@ -205,6 +208,7 @@ $res = $op->_post(
$json = expectJSON($res);
+ok( $json->{'sub'} eq "french", 'Got User Info' );
ok( $json->{'name'} eq "Frédéric Accents", 'Got User Info' );
# Check failure conditions
@@ -247,4 +251,3 @@ is( $res->[0], 401,
clean_sessions();
done_testing();
-