SAML in progress (#595)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/SAML.pm

@@ -9,6 +9,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
   PE_SAML_ART_ERROR
   PE_SAML_CONDITIONS_ERROR
   PE_SAML_DESTINATION_ERROR
+  PE_SAML_ERROR
   PM_SAML_IDPCHOOSEN
   PE_SAML_IDPSSOINITIATED_NOTALLOWED
   PE_SAML_SESSION_ERROR
@@ -379,10 +380,7 @@ sub extractFormInfo {
             # This should not happen
             $self->lmLog( "SSO request or response was not found", 'error' );
 
-            # Redirect user
-            $req->mustRedirect(1);
-            $req->steps( [] );
-            return PE_OK;
+            return PE_SAML_ERROR;
         }
 
     }

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm

@@ -634,9 +634,8 @@ sub run {
               ->set_subject_name_id( $login->nameIdentifier );
 
             # Set basic conditions
-            my $oneTimeUse =
-              $self->conf->{samlSPMetaDataOptions}->{$spConfKey}
-              ->{samlSPMetaDataOptionsOneTimeUse};
+            my $oneTimeUse = $self->conf->{samlSPMetaDataOptions}->{$spConfKey}
+              ->{samlSPMetaDataOptionsOneTimeUse} // 0;
 
             my $conditionNotOnOrAfter = $notOnOrAfterTimeout || "86400";
             eval {
@@ -704,7 +703,7 @@ sub run {
             # Signature
             my $signSSOMessage =
               $self->conf->{samlSPMetaDataOptions}->{$spConfKey}
-              ->{samlSPMetaDataOptionsSignSSOMessage};
+              ->{samlSPMetaDataOptionsSignSSOMessage} // -1;
 
             if ( $signSSOMessage == 0 ) {
                 $self->lmLog( "SSO response will not be signed", 'debug' );
@@ -720,8 +719,8 @@ sub run {
             }
 
             # log that a SAML authn response is build
-            my $user = $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
-            my $nameIDLog;
+            my $user      = $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
+            my $nameIDLog = '';
             foreach my $format (qw(persistent transient)) {
                 if ( $login->nameIdentifier->Format eq
                     $self->getNameIDFormat($format) )

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm

@@ -4,6 +4,7 @@ use strict;
 use Mouse;
 use Lemonldap::NG::Common::Conf::SAML::Metadata;
 use Lemonldap::NG::Common::Session;
+use LWP::UserAgent;
 use XML::Simple;
 use MIME::Base64;
 use String::Random;
@@ -21,6 +22,20 @@ has lassoServer => ( is => 'rw' );
 has spList      => ( is => 'rw', default => sub { {} } );
 has idpList     => ( is => 'rw', default => sub { {} } );
 
+# return LWP::UserAgent object
+has ua => (
+    is      => 'rw',
+    lasy    => 1,
+    builder => sub {
+
+        # TODO : LWP options to use a proxy for example
+        my $ua = LWP::UserAgent->new();
+        push @{ $ua->requests_redirectable }, 'POST';
+        $ua->env_proxy();
+        return $ua;
+    }
+);
+
 # INITIALIZATION
 
 BEGIN {

lemonldap-ng-portal/t/30-Auth-and-issuer-SAML.t

@@ -4,7 +4,7 @@ use IO::String;
 
 require 't/test-lib.pm';
 
-my $maintests = 14;
+my $maintests = 19;
 my $debug     = 'debug';
 my $res;
 my %handlerOR = ( issuer => [], sp => [] );
@@ -25,7 +25,7 @@ SKIP: {
     ok( $sp = sp(), 'SP portal' );
     $handlerOR{sp} = \@Lemonldap::NG::Handler::Main::Reload::_onReload;
 
-    # Simple SP login
+    # Simple SP access
     my $res;
     ok(
         $res = $sp->_get(
@@ -95,6 +95,8 @@ SKIP: {
         'Found IdP URL'
     );
     my $url = $1;
+
+    # Push SAML request to IdP
     switch ('issuer');
     my $s = "SAMLRequest=$samlReq";
     ok(
@@ -107,6 +109,8 @@ SKIP: {
         'Post SAML request to IdP'
     );
     ok( $res->[0] == 200, 'Return code is 200' );
+
+    # Try to authenticate to IdP
     my $body = $res->[2]->[0];
     $body =~ s/^.*?<form.*?>//s;
     $body =~ s#</form>.*$##s;
@@ -120,12 +124,39 @@ SKIP: {
             $url,
             IO::String->new($s),
             accept => 'text/html',
-            length => length($s)
+            length => length($s),
         ),
         'Post authentication'
     );
+    ok( $res->[0] == 200, 'Response is 200' ) or explain( $res->[0], 200 );
+    $cookies = $sp->getCookies($res);
+    my $idpId;
+    ok( $idpId = $cookies->{lemonldap}, 'Get cookie' )
+      or explain( $res, 'Set-Cookie: something' );
 
-    #print STDERR Dumper($res);
+    # Post SAML artifact to SP
+    ok( $res->[2]->[0] =~ m#<form.+?action="http://auth.sp.com(.*?)".+?method="post"#,
+        'Form method is POST' );
+    $url = $1;
+    ok(
+        $res->[2]->[0] =~
+          /<input type="hidden".+?name="SAMLart".+?value="(.+?)"/s,
+        'Found SAML artifact'
+    );
+    my $samlArt = $1;
+    switch ('sp');
+    $s = "SAMLart=$samlArt";
+    ok(
+        $res = $sp->_post(
+            $url, IO::String->new($s),
+            accept => 'text/html',
+            length => length($s),
+            cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
+        ),
+        'Post artifact to SP'
+    );
+
+    #print STDERR Dumper( $res, $url, $s );
 }
 
 count($maintests);