SAML in progress (#595)
This commit is contained in:
parent
abb61affe0
commit
c550606f50
|
@ -9,6 +9,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_SAML_ART_ERROR
|
PE_SAML_ART_ERROR
|
||||||
PE_SAML_CONDITIONS_ERROR
|
PE_SAML_CONDITIONS_ERROR
|
||||||
PE_SAML_DESTINATION_ERROR
|
PE_SAML_DESTINATION_ERROR
|
||||||
|
PE_SAML_ERROR
|
||||||
PM_SAML_IDPCHOOSEN
|
PM_SAML_IDPCHOOSEN
|
||||||
PE_SAML_IDPSSOINITIATED_NOTALLOWED
|
PE_SAML_IDPSSOINITIATED_NOTALLOWED
|
||||||
PE_SAML_SESSION_ERROR
|
PE_SAML_SESSION_ERROR
|
||||||
|
@ -379,10 +380,7 @@ sub extractFormInfo {
|
||||||
# This should not happen
|
# This should not happen
|
||||||
$self->lmLog( "SSO request or response was not found", 'error' );
|
$self->lmLog( "SSO request or response was not found", 'error' );
|
||||||
|
|
||||||
# Redirect user
|
return PE_SAML_ERROR;
|
||||||
$req->mustRedirect(1);
|
|
||||||
$req->steps( [] );
|
|
||||||
return PE_OK;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -634,9 +634,8 @@ sub run {
|
||||||
->set_subject_name_id( $login->nameIdentifier );
|
->set_subject_name_id( $login->nameIdentifier );
|
||||||
|
|
||||||
# Set basic conditions
|
# Set basic conditions
|
||||||
my $oneTimeUse =
|
my $oneTimeUse = $self->conf->{samlSPMetaDataOptions}->{$spConfKey}
|
||||||
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
|
->{samlSPMetaDataOptionsOneTimeUse} // 0;
|
||||||
->{samlSPMetaDataOptionsOneTimeUse};
|
|
||||||
|
|
||||||
my $conditionNotOnOrAfter = $notOnOrAfterTimeout || "86400";
|
my $conditionNotOnOrAfter = $notOnOrAfterTimeout || "86400";
|
||||||
eval {
|
eval {
|
||||||
|
@ -704,7 +703,7 @@ sub run {
|
||||||
# Signature
|
# Signature
|
||||||
my $signSSOMessage =
|
my $signSSOMessage =
|
||||||
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
|
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
|
||||||
->{samlSPMetaDataOptionsSignSSOMessage};
|
->{samlSPMetaDataOptionsSignSSOMessage} // -1;
|
||||||
|
|
||||||
if ( $signSSOMessage == 0 ) {
|
if ( $signSSOMessage == 0 ) {
|
||||||
$self->lmLog( "SSO response will not be signed", 'debug' );
|
$self->lmLog( "SSO response will not be signed", 'debug' );
|
||||||
|
@ -720,8 +719,8 @@ sub run {
|
||||||
}
|
}
|
||||||
|
|
||||||
# log that a SAML authn response is build
|
# log that a SAML authn response is build
|
||||||
my $user = $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
|
my $user = $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
|
||||||
my $nameIDLog;
|
my $nameIDLog = '';
|
||||||
foreach my $format (qw(persistent transient)) {
|
foreach my $format (qw(persistent transient)) {
|
||||||
if ( $login->nameIdentifier->Format eq
|
if ( $login->nameIdentifier->Format eq
|
||||||
$self->getNameIDFormat($format) )
|
$self->getNameIDFormat($format) )
|
||||||
|
|
|
@ -4,6 +4,7 @@ use strict;
|
||||||
use Mouse;
|
use Mouse;
|
||||||
use Lemonldap::NG::Common::Conf::SAML::Metadata;
|
use Lemonldap::NG::Common::Conf::SAML::Metadata;
|
||||||
use Lemonldap::NG::Common::Session;
|
use Lemonldap::NG::Common::Session;
|
||||||
|
use LWP::UserAgent;
|
||||||
use XML::Simple;
|
use XML::Simple;
|
||||||
use MIME::Base64;
|
use MIME::Base64;
|
||||||
use String::Random;
|
use String::Random;
|
||||||
|
@ -21,6 +22,20 @@ has lassoServer => ( is => 'rw' );
|
||||||
has spList => ( is => 'rw', default => sub { {} } );
|
has spList => ( is => 'rw', default => sub { {} } );
|
||||||
has idpList => ( is => 'rw', default => sub { {} } );
|
has idpList => ( is => 'rw', default => sub { {} } );
|
||||||
|
|
||||||
|
# return LWP::UserAgent object
|
||||||
|
has ua => (
|
||||||
|
is => 'rw',
|
||||||
|
lasy => 1,
|
||||||
|
builder => sub {
|
||||||
|
|
||||||
|
# TODO : LWP options to use a proxy for example
|
||||||
|
my $ua = LWP::UserAgent->new();
|
||||||
|
push @{ $ua->requests_redirectable }, 'POST';
|
||||||
|
$ua->env_proxy();
|
||||||
|
return $ua;
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
# INITIALIZATION
|
# INITIALIZATION
|
||||||
|
|
||||||
BEGIN {
|
BEGIN {
|
||||||
|
|
|
@ -4,7 +4,7 @@ use IO::String;
|
||||||
|
|
||||||
require 't/test-lib.pm';
|
require 't/test-lib.pm';
|
||||||
|
|
||||||
my $maintests = 14;
|
my $maintests = 19;
|
||||||
my $debug = 'debug';
|
my $debug = 'debug';
|
||||||
my $res;
|
my $res;
|
||||||
my %handlerOR = ( issuer => [], sp => [] );
|
my %handlerOR = ( issuer => [], sp => [] );
|
||||||
|
@ -25,7 +25,7 @@ SKIP: {
|
||||||
ok( $sp = sp(), 'SP portal' );
|
ok( $sp = sp(), 'SP portal' );
|
||||||
$handlerOR{sp} = \@Lemonldap::NG::Handler::Main::Reload::_onReload;
|
$handlerOR{sp} = \@Lemonldap::NG::Handler::Main::Reload::_onReload;
|
||||||
|
|
||||||
# Simple SP login
|
# Simple SP access
|
||||||
my $res;
|
my $res;
|
||||||
ok(
|
ok(
|
||||||
$res = $sp->_get(
|
$res = $sp->_get(
|
||||||
|
@ -95,6 +95,8 @@ SKIP: {
|
||||||
'Found IdP URL'
|
'Found IdP URL'
|
||||||
);
|
);
|
||||||
my $url = $1;
|
my $url = $1;
|
||||||
|
|
||||||
|
# Push SAML request to IdP
|
||||||
switch ('issuer');
|
switch ('issuer');
|
||||||
my $s = "SAMLRequest=$samlReq";
|
my $s = "SAMLRequest=$samlReq";
|
||||||
ok(
|
ok(
|
||||||
|
@ -107,6 +109,8 @@ SKIP: {
|
||||||
'Post SAML request to IdP'
|
'Post SAML request to IdP'
|
||||||
);
|
);
|
||||||
ok( $res->[0] == 200, 'Return code is 200' );
|
ok( $res->[0] == 200, 'Return code is 200' );
|
||||||
|
|
||||||
|
# Try to authenticate to IdP
|
||||||
my $body = $res->[2]->[0];
|
my $body = $res->[2]->[0];
|
||||||
$body =~ s/^.*?<form.*?>//s;
|
$body =~ s/^.*?<form.*?>//s;
|
||||||
$body =~ s#</form>.*$##s;
|
$body =~ s#</form>.*$##s;
|
||||||
|
@ -120,12 +124,39 @@ SKIP: {
|
||||||
$url,
|
$url,
|
||||||
IO::String->new($s),
|
IO::String->new($s),
|
||||||
accept => 'text/html',
|
accept => 'text/html',
|
||||||
length => length($s)
|
length => length($s),
|
||||||
),
|
),
|
||||||
'Post authentication'
|
'Post authentication'
|
||||||
);
|
);
|
||||||
|
ok( $res->[0] == 200, 'Response is 200' ) or explain( $res->[0], 200 );
|
||||||
|
$cookies = $sp->getCookies($res);
|
||||||
|
my $idpId;
|
||||||
|
ok( $idpId = $cookies->{lemonldap}, 'Get cookie' )
|
||||||
|
or explain( $res, 'Set-Cookie: something' );
|
||||||
|
|
||||||
#print STDERR Dumper($res);
|
# Post SAML artifact to SP
|
||||||
|
ok( $res->[2]->[0] =~ m#<form.+?action="http://auth.sp.com(.*?)".+?method="post"#,
|
||||||
|
'Form method is POST' );
|
||||||
|
$url = $1;
|
||||||
|
ok(
|
||||||
|
$res->[2]->[0] =~
|
||||||
|
/<input type="hidden".+?name="SAMLart".+?value="(.+?)"/s,
|
||||||
|
'Found SAML artifact'
|
||||||
|
);
|
||||||
|
my $samlArt = $1;
|
||||||
|
switch ('sp');
|
||||||
|
$s = "SAMLart=$samlArt";
|
||||||
|
ok(
|
||||||
|
$res = $sp->_post(
|
||||||
|
$url, IO::String->new($s),
|
||||||
|
accept => 'text/html',
|
||||||
|
length => length($s),
|
||||||
|
cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata',
|
||||||
|
),
|
||||||
|
'Post artifact to SP'
|
||||||
|
);
|
||||||
|
|
||||||
|
#print STDERR Dumper( $res, $url, $s );
|
||||||
}
|
}
|
||||||
|
|
||||||
count($maintests);
|
count($maintests);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user